As might be obvious by now, this is a homepage for some person known as Phil Pennock.

I've had websites; I've let people endure some truly awful pages. This site is bare and will probably remain fairly bare. It's probably still awful.

There are some small bits of software I've written which are available. I also contribute patches to various open-source projects. I've been involved with Exim and Zsh. The sieve-connect software is commonly available in OS packaging.

Elsewhere, there's miscellaneous software on GitHub (linked below). There's public software written in Go (Golang) through my company, Pennock Tech, LLC; There's lots of other scattered bits. Some folks use my GnuPG packages which install into /opt/gnupg, over on


I have an Internet footprint which is non-trivial. I send mail to various lists, etc. I have even succumbed to the onslaught of the social web.


I was a founding member of the Go Steel Programmers, a user-group for the Go programming language, in Pittsburgh, PA, USA. We later folded into the newer Code & Supply group for programmers in Pittsburgh (organizers of the Abstractions conference).

I am a former maintainer of Exim, but am no longer involved with that project.

I am a contributor to Zsh. I tend to be involved with medium-level Internet plumbing: one step up from routing and Autonomous Systems, but below most applications.

PGP / Contacting

I have two current PGP keys; one is using Curve 25519 and requires current OpenPGP software, the other is an RSA key which legacy implementations are more likely to accept. You can retrieve both the newer 0x1DA3E68F41CEECAC and the older 0x4D1E900E14C1CC04 in one place.
If your OpenPGP implementation breaks on even seeing the Ed25519 key, then you can retrieve just the older RSA key; if retrieving that fails because your implementation is so broken that it doesn't ignore subkeys which it can't handle, then you can retrieve a filtered key.

Both of those keys are in the strong set. I also have less-trusted keys living on my laptop or inside applications such as Keybase and those should not be especially trusted via the web-of-trust (WoT).

My thanks to Henk Penning, RIP, for having provided the PGP keyfinder service for so many years.

Retrieving my PGP key

Mechanisms to retrieve my PGP key include:


I sometimes use XMPP/Jabber. Historically I used the Off-The-Record (OTR) system for privacy and had a PGP-signed statement listing my fingerprints here. I do not currently use OTR. I rarely connect to XMPP any more, but if I do it will still be with my JID in the domain. I can be tempted back by a good low-resource graphical client, not written in C, for Linux or BSDs.

I do use various other messenger type systems; I never let the client apps upload my address-book (excepting the contacts system I've been using for A Long Time, and where the well-known free email service could infer all those contacts anyway).

Most services which provide strong privacy protocols will unforunately immediately compromise that by requiring that a phone number be the primary identifier, a phone number inherently tied to a device which you always have with you, so I'm not particularly enamoured of most of them. Ironically, the service (I know of) providing decent optional privacy ("Secret Chats") without requiring using a phone number is Facebook Messenger.
I keep a PGP-signed statement of my Facebook long-term device public keys.

Other OpenPGP Notes

I have a page about PGP keyserver implementations.


See for information about managing CA trust stores and the CA which I run for myself; that site itself uses a certificate from a more widespread public CA, to ease access. No warranty is made about my CA, the master keys are not stored off-line, etc.