Rules of Conduct
I will only accept files or emails via the below means to contact@paulhitt.com.
Look here for PGP Signature:
1 ~ File Handling & Transfer
- I only accept encrypted files – All inbound attachments must be encrypted (AES‑256 or stronger) before they enter my system.
- I require verified signatures – Files must be signed with a trusted PGP/GPG key or a corporate code‑signing certificate.
- I enforce secure transfer protocols – Use SFTP, HTTPS, or Proton Drive with end‑to‑end encryption for all uploads/downloads.
- I log every receipt – Record sender, timestamp, hash (SHA‑256), and encryption method in an immutable audit log.
2 ~ Encryption Standards
- Algorithms: AES‑256 GCM (or equivalent) for symmetric encryption; RSA‑4096 or ECC‑P‑384 for asymmetric key exchange.
- Transport encryption: TLS 1.3 with forward secrecy for all network traffic involving files.
3 ~ Verification & Validation
- I hash verify – I compute SHA‑256 (or stronger) of each received file and compare against the sender‑provided hash.
- I signature validate – I verify PGP/GPG or code‑signing signatures against the approved key store.
- I malware scan – I run encrypted files through a sandboxed AV/EDR solution after decryption (if needed for inspection).
4 ~ Email
- I will sign every outbound message with the sender’s private key.
- I will Encrypt sensitive payloads with S/MIME or OpenPGP before hitting the SMTP server.
- I will never attach unencrypted files containing confidential data; either encrypt the attachment separately or wrap the whole message in S/MIME/PGP.
Quick Checklist
- Is the file encrypted? – Yes → continue; No → reject.
- Is there a valid signature? – Yes → continue; No → reject.
- Do the hash and signature match the sender’s claim? – Yes → proceed; No → quarantine.
- Was the transfer done over a secure channel? – Yes → OK; No → reject.
