Fun things you can do with a PGP/GnuPG key

When I was asked "What else can you do with a OpenPGP/GnuPG key beyond the normal signing/encrypting of files and e-mail messages?", I thought about it and came up with a couple of ideas... but the question continued to nag at me and I finally decided to do a 5-minute "lightning talk" at an OCLUG meeting in February 2004 to discuss the topic.

With the help of some other folks who commented on an article I posted at Advogato.org, I have come up with a list of ideas for ways to use your OpenPGP/PGP/GnuPG key beyond the normal signing/encrypting files and e-mail.

PGP-encrypted Jabber IM- Have fully PGP-encrypted instant messaging using a Jabber client such as Psi or gabber that support the JEP-0027 spec for OpenPGP usage.
Sign your packages - As described here, sign your rpms using rpm --sign. The Debian package maintenance system apparently automatically signs packages with your key. There is a "debsig-verify" tool that can check these signatures. There is also a project called dpkg-sig which is looking at creating signatures inside of deb files and APT Secure, which is a project to include signatures in the apt package distribution process.
Generate external signatures for your packages - If you don't use RPMs or Deb files, or even if you do, you can create external signature files that people can download and verify the integrity of your file. Two ways to generate the external signature:
```
  gpg -ba foo.tgz        (creates foo.asc)
  gpg --output foo.tgz.sig --detach-sig foo.tgz
```
and verification is simply:
```
  gpg --verify foo.tgz.sig foo.tgz
```
Sign your web pages - Provide a way that people can verify the contents of your web pages. This article and this one give ideas for how to do it with the PGP signature in the HTML page itself.
This link mentions external signatures as well. The process for an external signature is quite simple. Create the HTML page and include the link (tag and text) for the external signature file. Then generate the external sig as mentioned above using the name you put in the link.
PGP-encrypted voice - Use PGPfone for encrypted voice. Note that MIT has this up on their web page that used to host PGPfone:
MIT is no longer distributing PGPfone. Given that the software has not been maintained since 1997, we doubt it would run on most modern systems.
Get a digital timestamp on a message - Signing a message can validate that you signed a file and it has not been modified since that time, but what about validating when the message was sent? The PGP Digital Timestamping Service is one mechanism to assist.
Post to web sites - Some sites such as LiveJournal will let you post items on the web site via PGP-encrypted e-mail (with a paid LJ account).
Send in your confession! - There is a priest who takes confessions via PGP-encrypted e-mail.
Manage secondary DNS servers - A tool known as AutoDNS allows you to manage secondary DNS servers via PGP-encrypted e-mail.
Sign your configuration files - Several people have suggested signing the configuration files in /etc so that modifications can be detected. One person mentions that they have an application that checks the signatures before the config files are loaded.
Build it into your software - If you write software, there are interfaces such as GPGME, py-gnupg or GnuPG::Interface that allow your program to interact with GnuPG and use keys.

Now for those folks who are interested in the whole Web of Trust and/or statistics around the keys, there are certainly these options:

Participate in keysignings - Visit biglumber.com to find a keysigning near you and get further connected to others in the Web of Trust. (Or organize a keysigning if you don't find one around.) You can then see how connected your key is in analysis reports such as this one for OCLUG or this one for the general Web of Trust.
Graph the path of trust between two keys - Using Wotsap you can get a nice-looking graph between any two keys in the web of trust (See a sample graph from a random key I picked to mine)
Graph connections to your key - Generate a graph of all the keys linked to yours.
Generate statistics for a key - See who has signed your key and other stats about your key, either from Wotsap (under the "Key statistics" heading) (see mine here) or from the keyanalyze reports (see mine here - you have to modify the URL manually)
Generate reports on how often a key is used - With keystory, you can generate reports on how often a key is used in mailing lists or e-mail.

Feedback and suggestions are very welcome. If you have other ideas for how to use a OpenPGP/PGP/GnuPG key, please e-mail me. I am particularly interested in suggestions for "regular" computer users (i.e. not necessarily developers but just average computer users).