I have been working on refactoring Sephia Five lately, and in these regards, I have been making some pretty stunning discoveries. One of the features I am working on, is automatic import of public PGP keys from a key server, for everyone who have ever sent me an email, or who have been the recipient of an email sent to me. This is being done automatically by Sephia Five, as I insert a new contact into my database.
This feature is pretty kick ass cool I think, and will automatically search a key server for either the fingerprint the email was cryptographically signed with, and/or the email address of all of its recipients – And if found, it will download the PGP key automatically, and import into my GnyPG database, and associate its fingerprint with my “contact” record. Even though it goes through these additional “hoops”, it is still able to download more than 100 emails per minute, including their attachments. This email inbox is probably an “average email inbox” I’d say, since it’s a GMail address that has been actively used for several years.
One of my email adresses is email@example.com, and I have had 621 people sending me an email on this account for the least couple of years, and/or being recipients of emails sent to me. Out of these 621 email adresses, only 15 addresses have public PGP keys uploaded to the Ubuntu key server. For the record, since these key servers are replicating each other constantly, this basically implies that roughly 2.4% of people in my email inbox are currently having a public PGP key publicly available. However, it gets worse …
I store the fact of whether or not an email sent to me has been cryptographically signed or not, and according to my email inbox, not one single person have cryptographically signed his or her email to me since I registered this account. Which implies that out of all of the above 15 people who actually have a PGP key, none of them are actually using it! I have 1335 emails in my inbox. These comes from 127 different email addresses. None of whom were cryptographically signed!
For the record, this doesn’t in anyways imply a statistical valid piece of information, since these types of numbers obviously depends upon who your friends are, and who you are sending emails to – And since I don’t have any friends in neither the Al Qaeda, MI6, CIA or the Russian Mafia – At least as I am aware of – I guess the adoption of PGP is naturally lower for me and my friends, than for many others out there. But it is probably a warning sign in regards to the adoption of cryptography “out there”.
CIA does not have a PGP key …!! 😛
Just out of curiosity, I went to the Ubuntu key server, and did a search for some important “official” email addresses in Norway and/or the world. The official secret police email address in Norway, which is firstname.lastname@example.org does not have a PGP key. The department of justice in Norway, which has their official email address at email@example.com, did neither have any PGP keys registered. In fact, not even the official email address for the CIA, which is firstname.lastname@example.org had a public PGP key.
Pretty interesting facts if you ask me. Jon Skeet has a PGP key though, two in fact – But the newest one is from 2008, which probably implies it has been invalidated a long time ago. For the record, all the email@example.com PGP keys on the key servers around, are exclusively for testing purposes, and I have lost most of the private keys associated with the public key …