[NTLUG:Discuss] GPG and Signing

greg@turnstep.com greg at turnstep.com
Thu Jul 3 08:55:53 CDT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> As I have said I have submitted a bug to Ximian about this, but what I
> want to know is why anyone feels its necessary to sign every message? 
> (not that I'll be able to see their replies ;^) hehehehe)

I'll take a shot at answering this in a serious manner:


I sign every email I send out. And I send out a lot of emails, to a lot of 
mailing lists. Why do I do this? Some of my reasons:


* Authenticity - By signing my email, anyone can verify that the mail was 
sent from me. Not from anyone else. Not somebody impersonating me. Not even 
somebody who broke into my home and sent email from my computer.


* Integrity - By signing my email, anyone can ensure that what they are reading 
is /exactly/ what I sent. This prevents someone from changing the message in 
route. It also prevents people from changing the message afterward and 
claiming I said something I did not.


* Local history - By signing each message to a mailing list, I can establish 
a clear history of posting. Every post by me has been signed by the same key, 
and therefore they are strongly linked together. No matter what computer I am 
sending from, and for that matter what email I use, they are all strongly 
tied to me.


* Global history - All those signings are often archived on the web, usually 
in mailing list archives. This provides a history of my usage of a particular 
key, making the key more effective. The more well-known and distributed a 
key is, the harder it is to impersonate. It also helps people to trust me 
when they need to, because they can go to Google and see a large history of 
posts I have done over the years, all with the same key. So they must assume 
that the key actually belongs to me, or that someone very determined has been 
doing a real determined job of impersonating me for years.


* Exposure - It helps to encourage using cryptography in general. The more 
widespread cryptography is, the safer it becomes and the harder for anyone 
(e.g. the government) to suppress or control it.


* Education - Most people have no idea how insecure email is. There is no 
authentication built in to the protocol. Spoofing is /extremely/ easy. By 
signing my emails, I help make people aware of this fact.


* Reputation - By signing everything I send, I establish a pattern; people 
know that if it is not signed, it is not by me. If I only did this on some 
emails, it would be a lot harder for me to convince people that an unsigned
email was /not/ from me. Therefore, I sign all emails, regardless of their 
"importance."


* Orneriness - To keep email client writers on their toes. :) Seriously, 
the standards have been around for a long time, and there is no reason 
for all email clients not to support handling MIME attached signatures, 
as well as clearsigned ones like this.


- --
Greg Sabino Mullane greg at turnstep.com
PGP Key: 0x14964AC8 200307030932
-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html

iD8DBQE/BDVuvJuQZxSWSsgRApq1AJwJqE4lL/Ew/yCcFCCTu7J9rCkzsQCfRUz8
60aJ/6sf1SKLdME4T8d2JAQ=
=fxMu
-----END PGP SIGNATURE-----

More information about the Discuss mailing list