We strongly urge you to encrypt sensitive information. We can exchange email with you using PGP or DES. We have STE and STU-III telephones and a secure FAX available, all at the secret level. You can obtain GnuPG or PGP from a variety of sources.

We also encourage you to check our PGP signature on email and documents.

PGP

1. Get our PGP public key from the CERT/CC web site.

   This PGP key has the following properties:

   CERT PGP Key Information
   Key ID: 0x14C33F57
   Key Type: RSA
   Expires: 2009-06-30
   Key Size: 2048
   Key fingerprint = EE1A C5FD CDDD B25E 8D0C  D570 1040 E2AA 14C3 3F57
   UserID: CERT Coordination Center <cert@cert.org>
   

   Information about our old PGP key can be found here.

   The CERT PGP keys have an operational life span of approximately one year. When we generate a new key, it will be available from this web page, and we will announce the change on our What's New page.

2. Verify our fingerprint.

   Call the CERT hotline (+1 412 268-7090) to verify our fingerprint.

   If calling us is difficult and you trust that this web page is authentic, you can use the fingerprint below.

   Fingerprint: EE1A C5FD CDDD B25E 8D0C D570 1040 E2AA 14C3 3F57

   Note: You can also verify the NSS Program signature on the CERT PGP key. The Networked Systems Survivability (NSS) Program at the Software Engineering Institute is the home of the CERT/CC. We have generated an NSS master key that we use only as a key-signing key. Use this master key for verification only.

   Fingerprint: 70B3 2975 C2CE EBB4 2945 9F1E 4A6A 4D20 18DE BE70

   Do not use the NSS Program master key to encrypt mail. We reflect this restriction in the UserID, which includes the string <nomail@cert.org>.

Obtaining GnuPG or PGP

Gnu Privacy Guard offers an OpenPGP compliant application that is freely available. You may obtain GPG software from GnuPG's distribution site:

http://www.gnupg.org/download.html

This site provides details for the most appropriate software based on your operating system. Please note that the version compiled for MS-Windows is a command line version and comes with a graphical installer tool.

Graphical installers are also available via the Windows Privacy Tray:

http://winpt.sourceforge.net/en/

PGP Corporation offers a range of products, including PGP Desktop, which may be obtained for a free 30-day trial period. You may obtain the software from PGP Corporation's download page:

http://www.pgp.com/downloads/index.html

PGP software includes tools and discussion forums for support, along with an online support portal:

www.pgpsupport.com

Checking our PGP signature on mail messages and documents

Many documents developed by the CERT Coordination Center are signed with the CERT PGP key. We encourage you to check the signature to ensure that the document was indeed written by our staff and has not been changed.

Note for users of the CERT Advisory mailing list:
Some mail programs cause changes to mail messages, resulting in an indication that the PGP signature is not good. Others have difficulty because of the cert-advisory@cert.org address in the headers. The mailer may expect cert-advisory to have a key. However, cert-advisory is simply an address we use for sending advisories, bulletins, and similar documents. These are signed with the CERT PGP key. Thus, you can check our PGP signature by saving your mail message to a file and running PGP on it.

DES

Contact us to set up a shared key. Call the CERT hotline (+1 412-268-7090) on weekdays between 8:30 and 17:00 (EST - GMT-5, EDT - GMT-4).

STE/STU-III telephones

Our STE and STU-III telephones handle secret and unclassified sensitive information.

Let us know through the CERT hotline (+1 412-268-7090) that you wish to speak with us on the STE or STU-III phones. Please leave your name and telephone number for our COMSEC custodian. The custodian's normal working hours are 8:30 to 17:00 (EST - GMT-5, EDT - GMT-4).

Secure FAX