Security information

Security Primer

The Basics

Encrypting data, digitally signing data, or both is often appropriate when exchanging data electronically. Safeguards are especially important for sensitive information. Please see the Using Email - Email Disclosure and the Privacy Policy for discussion of related issues.

One of the best existing technologies for encrypting and digitally signing data is public key encryption. The public key encryption process creates two complex "keys" (these can more or less be thought of as passwords). The public key is distributed to potential senders, and it functions only for encrypting outgoing data or verifying an electronic signatures on incoming data. The private key is maintained in secrecy by the receiver to sign outgoing data and decrypt incoming data. Once data has been encrypted using the public key, only the person possessing the corresponding private key may decrypt the data. Some of our public keys are available to you (1) by downloading the one or more files below, (2) by request through email, or (3) from a third-party "key server."

Signatures

A message securely signed (but not encrypted) by a PGP-compatible program may appear roughly as follows:

By using the sender's corresponding public key and the necessary software, the receiver can verify the sender's identity and the time the message was signed.

A digital signature such as this is, for all intents and purposes, the sender's signature. See Iowa Code § 554D.103(7). See also the Iowa Uniform Electronic Transactions Act, Iowa Code ch. 554D and the Electronic Signatures in Global and National Commerce Act, 15 U.S.C. § 7001 et seq.

Keys and Certificates

Keys have also been published to http://pgp.mit.edu/ and ldap://keyserver.pgp.com/.

PGP & Alternatives

PGP

Pretty Good Privacy (“PGP”), a product of PGP Corporation, is one of the most popular and most secure public key encryption and digital signature programs. PGP Corporation sells the most current commercial version. The Massachusetts Institute of Technology provides an older, free public domain version of PGP for noncommercial use. There are DOS, Windows, Macintosh, Linux, and other versions of this software. If PGP is installed on your computer, click on the key above to download, and when prompted, click "Open" to install the key.

GNUpg

For the more technically inclined, GNU offers the GNU Privacy Guard (also known as GPG), which is free, open source software. GPG - like PGP - utilizes a public key encryption system, and GPG both generates and interprets certain types of PGP-compatible keys. This software is available for various operating systems together with various "plug-ins" and "front-ends."

There is an excellent set of mature tools for Windows systems, including a plug-in for Outlook, located at gpg4win.org.

Other Alternatives

We can work with you, within reason, to determine the best way to accomplish security goals. There are other commercial encryption software options that might be a little easier to use, such as is supplied by Verisign, Inc. (search for "digital ID" or "secure email"), which provides certificates enabling functionality built into popular email software.

Additional Information

There is a substantial amount of information on security and encryption available on the Internet. There is an "FAQ" at http://www.pgp.net that provides a good start on PGP issues. If you want to learn more about security and encryption, we suggest reviewing the information available from popular search engines and portals, such as Google. There are a substantial number of links on cryptography available from the Open Directory Project.