In this case I was able to confirm the key by matching it with a copy they uploaded to https://policy.heroku.com/security

Good to hear.

Now the paranoid in me is wondering - if there's an attacker deeply entrenched enough to be reading their plain-text email, either on the wire between them and you or with sufficient root privs on their infrastructure, they could probably have arranged their own pgp key to appear there for you as well. If I were trying to ensure I was doing my utmost best diligence, I'd have tried to include a completely non-internet backchannel - perhaps a call phone number for Heroku sourced from a dead-tree phone book (if such a thing exists anymore?) and get someone to read out the key fingerprint.

if they're that owned, it's highly unlikely that you telling them about some additional vulnerability is going to help their attackers. and you'll figure it out soon enough when none of your proposed fixes are enacted.

True - but if they're _not_ that owned, TLS encrypted email probably would have been sufficient. (Though I'm not sure how easy it it to force/ensure TLS in common email clients…)

TLS only protects a single link; from your client, to your server. It doesn't prevent you from disclosure on that server, on any relaying servers in between, or between their server and their client (remember, they may be reading email on wifi in a coffee shop).

S/MIME email is another end-to-end encryption scheme, like PGP, but it isn't as popular among a technical crowd as PGP is.

This is where, the owner of the PGP key hopefully have verified themselfs by setting up a web of trust.

In other words, that they have passed the key along to employees and other trusted (ie. large web-of-trust) tiers - which in turn have put their keys to use to verify that this key belongs to the security team of Heroku.

To verify the verifications, you could contact one of the trusted parties and ask them how they are sure that the particular key is correct - if in doubt.

Accept nothing less than the full company board singing the entire key to you in binary at a restaurant of your choosing.

Heh…

I'd like to hope the whole "web of trust" idea could solve this problem. If I've got a large enough set of people I've been sending signed or encrypted email too using a particular key, that history means I've got a pretty reliable idea that the key is "real". With a bit of luck, if enough of my set of people has their own group of historically-verified keys, I might have a good enough chance of finding someone I know and trust who'll vouch for a key fingerprint of someone I need to securely communicate with.

(I wonder if pgp signing registration email or payment receipts might help here? Or perhaps including key fingerprints? It'd be nice to be able to mail a user/customer saying "here's our PGP key, and you can check it against the key fingerprint we sent you when you signed up" or maybe " … that we print on every invoice" ?)

Widely communicating your key fingerprint makes sense. I put it on my business cards, etc. Back in the late 1990s people were talking about publishing root key fingerprints in newspapers, engraving them on stone tablets, etc. I.e. things which obviously required a lot of money be expended, thus making casual forgery less likely.

Perhaps people who rely on a longstanding online reputation could provide a service as verifiable online keystores for many different organisations via their own public key, so providing a distributed and multiply redundant public key resource that would be incredibly difficult to hack all in one go to fake a specific key.

Does it warm your heart that key signing parties still happen about twice each year at Caltech?

ah yes, key signing parties

http://xkcd.com/364/

:)