Luca Saiu — public keys

I value privacy and encourage everyone's use of strong cryptography for private communication.


Visit cards

Of course you have no particular reason to trust the information you read on this site over an HTTP connection, or even over HTTPS unless you trust my certificate. If we meet in person you can ask me one of my visit cards, containing a printed copy of my GPG key fingerprint; I always carry at least a few in my wallet.

Starting from late August 2016 every card also includes an SHA256 fingerprint of the X.509 certificate used on this server. If you have an older version with only the GPG fingerprint the best you can do is asking me a copy of the certificate information; I will send it to you by GPG-signed email.

My visit cards now have an "updated" date. The current version is dated 2016-08-24, but includes the correct fingerprint for the certificate activated the next day, on 2016-08-25. In hindsight I should have just printed "2016-08-25".


My server X.509 certificate

For the layperson: this information lets you check that the server you are connecting to is actually mine, rather than some machine belonging to an impostor who wishes to eavesdrop your traffic.


Why my certificate is self-signed

My certificate is self-signed and I don't plan to ever submit it to a certification authority, as I see no particular reason to trust any entity to guarantee the authenticity of third party keys; on the other hand the reasons to distrust them abound, as shown for example in this hilarious Mozilla bug report highlighting the inherent conflict of interest of commercial enterprises engaged in this activity, particularly after they become well-established. The current political climate makes the argument even stronger, considering that most authorities are based in the US. Even authorities not suspected of any wrongdoing might well engage in the same practices as the famous ones you are thinking about now: US gag laws make it impossible for the public to know, which puts the last nail in the coffin of the credibility of CAs.

Certificates are important, and they should never be accepted blindly: when you accept a certificate tentatively, you should consider the entire exchange to be potentially spied on and tampered with while it happens; in other words the connection is to be treated as no more secure than an unencrypted one. In order to convince yourself that the server you are connected to actually is what it claims to be, you'll have to do your due diligence; and no, this activity cannot be simplified down to the level of the typical Apple fanboy who only understands graphical user interfaces.

If you want to see the authentic fingerprint of my server certificate you can ask me a visit card, as explained above. You are also welcome to request a copy of the information by GPG-signed email, if you have reason to trust my GPG key — for example my GPG key may have been signed by enough people you know and who can attest that I care about security.


Certification Authorities providing certificates for free

Since a few people asked I clarify that my statements in the previous section also apply to Let's Encrypt, which doesn't magically become trustworthy thanks to its non-profit status. It may very well be run by completely honest people, as some of the commercial entities might be as well; the point is that we, the public, don't have any reason to consider them reliable. We should also keep in mind that the Internet Security Research Group is US-based.

CACert.org issues (gratis) certificates supposedly made credible by a Web of Trust; I have to look into it in more detail, but as far as I understand there is no technical reason to trust the organization not to provide false certificates; are the actual certificates provided by CACert signed by people in my (GPG, or other) web of trust? That model would work, but I can't see how it integrates with the idea of adding CA root certificates to web browsers. In practice the degree of trust I would assign to each server certificate would very according to how close I am, in WoT terms, to who approved it, making the issuing authority irrelevant. I'm probably missing some detail, but such an arrangement sounds similar to my visit card system.


Certificate information

I use the same certificate for HTTPS and email, plus most other non-public services on this server. The current version was generated on August 25 2016, replacing a different certificate I had only used for a couple of weeks, not worth keeping.

You can download my X.509 certificate in PEM format here as ageinghacker-a.pem. Its SHA256 fingerprint is 869e 670c cad5 560f 1069 c0a8 d37d a790 6fbf ba8a 1f2d 6c12 92ee bda9 a860 44ff. Its SHA1 fingerprint is e00b 1b71 ca98 8051 c0df 132c 5e79 e816 9717 2aeb, but you shouldn't use SHA1 as it now appears to be vulnerable to collision attacks.

This is the information printed by certtool --certificate-info. You should check that it matches what your client says.

X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 00ebef713058d5050b
	Issuer: CN=ageinghacker.net,CN=aginghacker.net,CN=lists.ageinghacker.net,CN=lists.aginghacker.net,CN=mumble.ageinghacker.net,CN=mumble.aginghacker.net,CN=abelson.ageinghacker.net,CN=abelson.aginghacker.net,CN=*.ageinghacker.net,O=Luca Saiu,O=ageinghacker.net,EMAIL=luca@ageinghacker.net
	Validity:
		Not Before: Thu Aug 25 19:43:05 UTC 2016
		Not After: Mon Aug 19 19:43:05 UTC 2041
	Subject: CN=ageinghacker.net,CN=aginghacker.net,CN=lists.ageinghacker.net,CN=lists.aginghacker.net,CN=mumble.ageinghacker.net,CN=mumble.aginghacker.net,CN=abelson.ageinghacker.net,CN=abelson.aginghacker.net,CN=*.ageinghacker.net,O=Luca Saiu,O=ageinghacker.net,EMAIL=luca@ageinghacker.net
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: High (4096 bits)
		Modulus (bits 4096):
			00:ba:17:55:e9:21:96:48:fd:47:15:4d:27:b7:fd:41
			03:ff:7e:24:ae:42:48:46:4c:21:73:2e:c5:58:94:f9
			99:b1:a7:74:8b:11:ef:44:12:b8:71:f8:71:44:4f:41
			a0:bc:d4:f3:c8:23:94:af:4a:ec:dd:48:24:d5:f3:c1
			48:6d:5e:45:99:71:9e:8f:57:1c:7e:ca:eb:c3:91:bf
			17:cb:f3:21:22:1e:a6:87:78:dd:03:53:40:e7:d6:14
			f3:2c:64:96:63:db:3b:b0:de:38:89:a3:04:89:b7:4b
			2f:6d:98:9a:86:bd:cd:f7:ff:e6:a5:72:af:96:24:59
			36:f3:8e:9c:c1:91:48:11:c4:04:91:d6:56:f8:14:9c
			f1:9b:6e:3a:27:90:b7:2f:89:95:26:4b:e7:04:38:70
			85:24:7e:a4:8b:b9:b9:3a:31:e7:d1:68:d5:46:fb:25
			44:3c:54:bd:fc:1d:25:ff:ed:26:6b:f1:b3:44:15:22
			07:30:8e:ea:97:5f:fd:55:a3:f6:b2:de:a2:bd:b4:d6
			f9:c6:af:39:bc:52:1e:21:25:8e:bf:82:65:e5:60:ea
			ab:11:73:8e:54:32:20:0e:5a:cf:b6:ec:2d:0c:87:40
			92:3e:45:eb:db:f8:5f:c0:21:7e:97:c1:46:ed:df:70
			e4:7c:a3:71:7b:c0:5e:ed:40:f7:ff:bc:e9:0a:85:f2
			e9:64:e5:3e:54:16:ad:90:5c:36:25:76:15:5e:49:d6
			d5:24:4c:a5:a9:9a:bb:5d:66:89:cc:d1:d9:cf:e4:ee
			10:7d:74:7b:78:8d:5b:49:d8:c1:97:15:f5:c0:a3:3a
			57:95:70:7f:9f:d1:61:29:99:ac:d1:7c:b0:57:7a:39
			f4:b7:48:66:9a:fb:77:86:7a:9d:ee:5f:a7:de:21:d3
			16:10:53:52:f5:74:87:21:00:85:23:29:92:fc:61:44
			5b:4a:c9:dc:f2:cd:94:20:0f:72:9e:3b:70:e7:99:a1
			fe:20:c2:3e:89:94:3f:85:8c:ed:80:c6:5f:2f:c6:f0
			b8:b9:0a:0f:4c:c3:ee:bc:23:5e:af:44:ae:6a:35:dc
			a7:7b:de:2c:a4:26:fe:39:ce:95:ad:48:76:8c:0b:93
			a1:fa:ec:cf:e7:de:75:fa:90:d7:f0:28:a3:56:2e:79
			5b:96:f4:61:40:a9:cf:20:99:09:26:ee:07:36:9d:dc
			8c:f6:fd:5b:ac:da:bb:5a:21:41:96:32:94:32:21:1d
			63:d4:70:7a:b8:0d:04:4e:a4:ef:ec:dc:a9:a5:59:56
			af:54:00:00:32:45:79:08:9a:2f:6a:b9:66:04:33:1a
			1b
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (not critical):
			Certificate Authority (CA): TRUE
		Subject Alternative Name (not critical):
			DNSname: ageinghacker.net
			DNSname: aginghacker.net
			DNSname: *.ageinghacker.net
			DNSname: *.aginghacker.net
	Signature Algorithm: RSA-SHA256
	Signature:
		46:49:8b:34:ef:5b:19:ad:e2:66:3b:8b:f2:46:55:94
		63:9c:f8:54:37:6e:85:f3:ce:9e:a2:7e:74:02:64:37
		b9:19:b6:55:67:4c:7a:53:82:4e:23:23:24:de:63:bd
		c9:a4:e9:de:a3:e0:fd:ac:a3:37:21:23:bc:e9:0b:60
		27:02:fa:e5:d4:7d:95:3f:87:2e:a8:cc:94:03:68:87
		b5:08:a4:0c:03:b7:e2:17:9e:b6:75:80:70:73:6d:e2
		9d:06:7b:76:00:3e:30:7a:89:c6:69:37:22:4f:53:0f
		eb:a4:67:18:8c:57:bd:e6:b8:83:81:eb:a7:9f:e6:d1
		1a:4d:a9:02:2d:e4:99:ac:99:20:08:3f:0a:c6:de:e0
		40:6f:70:59:cf:f8:de:79:54:0b:40:aa:3a:0e:07:41
		1c:ad:a1:58:a7:17:54:ae:55:51:03:f8:97:44:f6:a4
		d0:96:7d:14:d4:71:6a:9c:7c:a9:15:dd:37:6d:aa:b3
		bd:43:08:82:3d:8d:dc:98:d1:cd:55:65:7c:58:0c:2a
		c9:aa:49:c8:9a:ec:22:80:44:ec:67:ee:11:e7:66:8e
		54:d3:cc:f5:2b:c3:2d:2d:6d:2b:d0:42:a8:9b:5e:d4
		37:2e:8f:74:2e:89:6e:95:33:9c:97:03:40:1d:66:94
		ce:17:7a:cd:8f:8a:7c:4a:9c:19:dc:92:da:5d:44:fb
		3d:2f:70:a9:5a:78:42:39:4b:61:a2:37:f9:9d:3d:dd
		1b:c2:aa:5e:b4:9a:de:ce:9d:7c:d1:f1:18:71:4e:6f
		0c:50:24:17:13:39:9f:e1:32:09:12:e1:4f:a6:19:55
		53:df:1a:00:2f:55:dc:2a:e5:9d:47:7b:66:de:11:c8
		22:08:81:f8:c6:32:d1:ee:41:84:41:22:d0:fa:b8:47
		00:61:fa:d8:1e:c2:73:2e:14:b1:c4:96:88:e0:86:6a
		70:d4:f8:92:1f:e1:0d:1c:f8:95:f0:83:b3:31:0b:60
		a8:a4:ae:9c:a6:9b:e5:e7:66:73:d1:73:27:fb:b2:04
		db:ec:3f:bb:07:b6:e3:1c:12:ef:3e:38:e1:01:ce:36
		71:5c:57:1c:ec:ea:91:ef:d0:a9:e0:92:f9:95:c9:a5
		5b:4e:e6:21:7a:8c:31:e9:a1:8f:c0:3a:47:b7:fb:54
		46:fd:b9:05:96:d4:d7:6d:62:f9:fc:e5:54:53:15:01
		41:87:e2:9e:76:dd:1b:2a:ce:46:a5:fe:49:27:0c:05
		a1:c6:72:2b:96:57:90:9f:11:0c:d7:04:05:2e:50:8b
		1c:fd:0f:4c:06:6d:49:64:ec:df:cd:e9:ee:07:c0:3b
Other Information:
	SHA1 fingerprint:
		e00b1b71ca988051c0df132c5e79e81697172aeb
	SHA256 fingerprint:
		869e670ccad5560f1069c0a8d37da7906fbfba8a1f2d6c1292eebda9a86044ff
	Public Key ID:
		748e4f322e10f17394301fe16a76b3bdc5a2dd37
	Public key's random art:
		+--[ RSA 4096]----+
		|    . o.+o       |
		|     o =..       |
		|    . o = .      |
		|     . = +       |
		|    . + S o      |
		|     + o O .     |
		|      . o + o    |
		|       . o =  E  |
		|        . o .. . |
		+-----------------+

-----BEGIN CERTIFICATE-----
MIIHzDCCBbSgAwIBAgIJAOvvcTBY1QULMA0GCSqGSIb3DQEBCwUAMIIBcDEZMBcG
A1UEAxMQYWdlaW5naGFja2VyLm5ldDEYMBYGA1UEAxMPYWdpbmdoYWNrZXIubmV0
MR8wHQYDVQQDExZsaXN0cy5hZ2VpbmdoYWNrZXIubmV0MR4wHAYDVQQDExVsaXN0
cy5hZ2luZ2hhY2tlci5uZXQxIDAeBgNVBAMTF211bWJsZS5hZ2VpbmdoYWNrZXIu
bmV0MR8wHQYDVQQDExZtdW1ibGUuYWdpbmdoYWNrZXIubmV0MSEwHwYDVQQDExhh
YmVsc29uLmFnZWluZ2hhY2tlci5uZXQxIDAeBgNVBAMTF2FiZWxzb24uYWdpbmdo
YWNrZXIubmV0MRswGQYDVQQDFBIqLmFnZWluZ2hhY2tlci5uZXQxEjAQBgNVBAoT
CUx1Y2EgU2FpdTEZMBcGA1UEChMQYWdlaW5naGFja2VyLm5ldDEkMCIGCSqGSIb3
DQEJARYVbHVjYUBhZ2VpbmdoYWNrZXIubmV0MB4XDTE2MDgyNTE5NDMwNVoXDTQx
MDgxOTE5NDMwNVowggFwMRkwFwYDVQQDExBhZ2VpbmdoYWNrZXIubmV0MRgwFgYD
VQQDEw9hZ2luZ2hhY2tlci5uZXQxHzAdBgNVBAMTFmxpc3RzLmFnZWluZ2hhY2tl
ci5uZXQxHjAcBgNVBAMTFWxpc3RzLmFnaW5naGFja2VyLm5ldDEgMB4GA1UEAxMX
bXVtYmxlLmFnZWluZ2hhY2tlci5uZXQxHzAdBgNVBAMTFm11bWJsZS5hZ2luZ2hh
Y2tlci5uZXQxITAfBgNVBAMTGGFiZWxzb24uYWdlaW5naGFja2VyLm5ldDEgMB4G
A1UEAxMXYWJlbHNvbi5hZ2luZ2hhY2tlci5uZXQxGzAZBgNVBAMUEiouYWdlaW5n
aGFja2VyLm5ldDESMBAGA1UEChMJTHVjYSBTYWl1MRkwFwYDVQQKExBhZ2Vpbmdo
YWNrZXIubmV0MSQwIgYJKoZIhvcNAQkBFhVsdWNhQGFnZWluZ2hhY2tlci5uZXQw
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC6F1XpIZZI/UcVTSe3/UED
/34krkJIRkwhcy7FWJT5mbGndIsR70QSuHH4cURPQaC81PPII5SvSuzdSCTV88FI
bV5FmXGej1ccfsrrw5G/F8vzISIepod43QNTQOfWFPMsZJZj2zuw3jiJowSJt0sv
bZiahr3N9//mpXKvliRZNvOOnMGRSBHEBJHWVvgUnPGbbjonkLcviZUmS+cEOHCF
JH6ki7m5OjHn0WjVRvslRDxUvfwdJf/tJmvxs0QVIgcwjuqXX/1Vo/ay3qK9tNb5
xq85vFIeISWOv4Jl5WDqqxFzjlQyIA5az7bsLQyHQJI+Revb+F/AIX6XwUbt33Dk
fKNxe8Be7UD3/7zpCoXy6WTlPlQWrZBcNiV2FV5J1tUkTKWpmrtdZonM0dnP5O4Q
fXR7eI1bSdjBlxX1wKM6V5Vwf5/RYSmZrNF8sFd6OfS3SGaa+3eGep3uX6feIdMW
EFNS9XSHIQCFIymS/GFEW0rJ3PLNlCAPcp47cOeZof4gwj6JlD+FjO2Axl8vxvC4
uQoPTMPuvCNer0SuajXcp3veLKQm/jnOla1IdowLk6H67M/n3nX6kNfwKKNWLnlb
lvRhQKnPIJkJJu4HNp3cjPb9W6zau1ohQZYylDIhHWPUcHq4DQROpO/s3KmlWVav
VAAAMkV5CJovarlmBDMaGwIDAQABo2UwYzAMBgNVHRMEBTADAQH/MFMGA1UdEQRM
MEqCEGFnZWluZ2hhY2tlci5uZXSCD2FnaW5naGFja2VyLm5ldIISKi5hZ2Vpbmdo
YWNrZXIubmV0ghEqLmFnaW5naGFja2VyLm5ldDANBgkqhkiG9w0BAQsFAAOCAgEA
RkmLNO9bGa3iZjuL8kZVlGOc+FQ3boXzzp6ifnQCZDe5GbZVZ0x6U4JOIyMk3mO9
yaTp3qPg/ayjNyEjvOkLYCcC+uXUfZU/hy6ozJQDaIe1CKQMA7fiF562dYBwc23i
nQZ7dgA+MHqJxmk3Ik9TD+ukZxiMV73muIOB66ef5tEaTakCLeSZrJkgCD8Kxt7g
QG9wWc/43nlUC0CqOg4HQRytoVinF1SuVVED+JdE9qTQln0U1HFqnHypFd03baqz
vUMIgj2N3JjRzVVlfFgMKsmqScia7CKAROxn7hHnZo5U08z1K8MtLW0r0EKom17U
Ny6PdC6JbpUznJcDQB1mlM4Xes2PinxKnBncktpdRPs9L3CpWnhCOUthojf5nT3d
G8KqXrSa3s6dfNHxGHFObwxQJBcTOZ/hMgkS4U+mGVVT3xoAL1XcKuWdR3tm3hHI
IgiB+MYy0e5BhEEi0Pq4RwBh+tgewnMuFLHElojghmpw1PiSH+ENHPiV8IOzMQtg
qKSunKab5edmc9FzJ/uyBNvsP7sHtuMcEu8+OOEBzjZxXFcc7OqR79Cp4JL5lcml
W07mIXqMMemhj8A6R7f7VEb9uQWW1NdtYvn85VRTFQFBh+Kedt0bKs5Gpf5JJwwF
ocZyK5ZXkJ8RDNcEBS5Qixz9D0wGbUlk7N/N6e4HwDs=
-----END CERTIFICATE-----

My GPG public key

For the layperson: you need this key if you want to make sure that I am the actual author of a GPG-signed message you received from somebody claiming to be me, or to send me a GPG-encrypted email which nobody else can read.

Most of my e-mails sent from computers I trust have been GPG-signed since 2007.


My GPG key #1

The GPG keypair I'm using now was generated on 2007-03-29, and will not expire; still, I may revoke it at some point in the future.
You can find my public key here as gpg-a.asc and, for convenience, on several keyservers as well.
The key fingerprint is 14DC 72EB 19F7 D2E6 C12E 113C BF33 9ABE 26C5 D286. Nowadays it's better not to use only the last four bytes, to avoid collision attacks. You should consider the key ID to be 14DC72EB19F7D2E6C12E113CBF339ABE26C5D286, as an indivisible sequence


My lost GPG key from 2003

Please do not use the old key with ID 0x586648D5, back from 2003. It was indeed mine, but I lost the associated private key in a disk crash years ago, back when I was naf enough not to keep backups of these important things; now I can't even revoke it.


My OpenSSH public keys

For the layperson: you only need these keys if you want to give me shell access to a machine of yours.

I use several different RSA key pairs, depending on which client machine I'm physically on.

By convention RSA public keys are written on single, very long lines; since this notation makes them clumsy to display in inline HTML, I publish each key as a separate text file.

You can check the fingerprint of your copy, interactively, with ssh-keygen -l


My OpenSSH RSA public key #1

A 4096-bit key pair. You can find the RSA public key here as ssh-a.
Its fingerprint is 4096 SHA256:Ll2MioFd5FahanPMe92GfaC7lOr+knZc34ErMmjU4Ok luca@optimum (RSA).


My OpenSSH RSA public key #2

A 2048-bit key pair. You can find the RSA public key here as ssh-b.
Its fingerprint is 2048 SHA256:Stv9EwRz86soXbzE/3njfuvqtNzy37bX2wNIwoQl+l0 luca@lucalaptop (RSA).


My OpenSSH RSA public key #3

A 2048-bit key pair. You can find the RSA public key here as ssh-c.
Its fingerprint is 2048 SHA256:dcE6nRF7RHO0JDR/WNweFJdJNTHorMEjG1GTXS7u9nI luca@ritchie (RSA).


My OpenSSH RSA public key #4

A 2048-bit key pair. You can find the RSA public key here as ssh-d.
Its fingerprint is 2048 SHA256:0CYsQgalAnprKHbfUnMEaQWb7WR/5T4vETC9LMXMxss luca@minsky (RSA).


My OpenSSH RSA public key #5 (obsolete)

I no longer use ssh-e.


My OpenSSH RSA public key #6

A 2048-bit key pair. You can find the RSA public key here as ssh-f.
Its fingerprint is 2048 SHA256:YPotJhZoKmHlA2+/Zzx3Pjtu/bk44F/ZOe5FkAzObII luca@moore (RSA).



[hacker emblem]

Luca Saiu
Last modified: 2016-10-05


Copyright © 2007, 2012, 2016 Luca Saiu
Verbatim copying and redistribution of this entire page are permitted provided this notice is preserved.