My presence on the Internet is limited almost exclusively to this domain. In particular, I do not have and never had an account on any ‘social network’. My surname is quite common; there are several people with whom I share both name and surname.

You are welcome to write to vadim at this domain. I run my own mail service; the servers are located in the basement of my house. The service implements end-to-end confidentiality and authentication: internal delivery of mail is secured with a private, independent certification authority and bilateral TLS authentication. The certificates are signed using an HSM. Your correspondence will remain encrypted at all stages of its transmission if your service supports sending outgoing mail over TLS (which nowadays seems to be the case with all the webmail בהמות like Gmail).

Should you like to communicate with me in private, please consider using PGP.

The fingerprint of my PGP key as of February 13th 2019 is

807F 2C10 3D5B 579B 8F59 5127 B951 121C 77D3 F210
I also use this key for signing files that I distribute using this site. Decryption of messages encrypted with this key requires a hardware token.

There are two ways of fetching my PGP key: either using a public keyserver or querying one of my name servers using DANE (RFC 7929).

1. The preferred method is using DANE:

gpg --auto-key-locate clear,dane -v --locate-keys put-my-email-address-here
This method is not only faster but it is also more secure: I eat my own dog food, my name servers support DNSSEC; all information that they publish, including my PGP key, is signed using an HSM. The attacker needs to break into at least two different machines in different networks that belong to different organisations (this Web server and a server of my domain name registrar—most probably, these run different operating systems and other software) to trick you into trusting a forged key. I will notice such an attack immediately because it will invalidate DNSSEC verification of this entire domain (the way I use it for my own purposes other than this site), not only authentication of my PGP key. That requires a complex, coordinated attack; it is just too much of an effort for almost no gain, if you ask me.

Assuming that you have access to an operational DNS resolver that supports DNSSEC validation (such as unbound(1)), authentication of my public PGP key (i.e. checking that it is genuine), is a matter of running, on OpenBSD:

unbound-host -D -v -t openpgpkey "$(echo -n vadim | sha256 | cut -b1-56)._openpgpkey.penzin.net"
or on Linux:
unbound-host -D -v -t openpgpkey "$(echo -n vadim | sha256sum | cut -b1-56)._openpgpkey.penzin.net"
Normally (when the PGP key is found and it is authentic), you should see the complete DNS record (it is one line of output that may fill the entire 80⨯24 terminal window) that ends with the validation result enclosed in parentheses: (secure).

For truly paranoid black belts: you can combine key fetching, DNSSEC validation, and key import in one pipeline (in an attempt to escape TOCTOU attacks, which the method given above is prone to in theory):

unbound-host -D -v -t openpgpkey "$(echo -n vadim | sha256 | cut -b1-56)._openpgpkey.penzin.net" \
    | tail -1 \
    | grep ' (secure)$' \
    | cut '-d ' -f5 \
    | openssl enc -d -base64 -A \
    | gpg2 --import
(The example above is for OpenBSD with DNSSEC validation enabled. On Linux, in the command above, replace sha256(1) with sha256sum(1) and, probably, gpg2 with gpg.)

2. Querying a public keyserver:

gpg --search-keys 807F2C103D5B579B8F595127B951121C77D3F210
While this method is probably the simplest (in essence, in most default configurations of GnuPG, it is merely an HTTPS request with unilateral authentication of the server), bear in mind that public keyservers happen to be quite busy (right at the moment when you need them most). Besides that, there are organisations that block—or, rather, do not permit—outgoing traffic to public PGP key servers, expecting employees to use internal ones, while DNS traffic is seldom blocked or filtered thus leaving DANE operational. In addition, public key servers cannot provide a way of ascertaining authenticity of a key: anyone in the world can upload any public key to a public keyserver. The attacker needs to break into one machine (this Web server) to trick you into trusting a forged key.

If you have my mobile number, you can send me a message using Signal.

Vadim Penzin, June 11th 2019