[NTLUG:Discuss] GPG and Signing
greg@turnstep.com
greg at turnstep.com
Thu Jul 3 08:55:53 CDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> As I have said I have submitted a bug to Ximian about this, but what I
> want to know is why anyone feels its necessary to sign every message?
> (not that I'll be able to see their replies ;^) hehehehe)
I'll take a shot at answering this in a serious manner:
I sign every email I send out. And I send out a lot of emails, to a lot of
mailing lists. Why do I do this? Some of my reasons:
* Authenticity - By signing my email, anyone can verify that the mail was
sent from me. Not from anyone else. Not somebody impersonating me. Not even
somebody who broke into my home and sent email from my computer.
* Integrity - By signing my email, anyone can ensure that what they are reading
is /exactly/ what I sent. This prevents someone from changing the message in
route. It also prevents people from changing the message afterward and
claiming I said something I did not.
* Local history - By signing each message to a mailing list, I can establish
a clear history of posting. Every post by me has been signed by the same key,
and therefore they are strongly linked together. No matter what computer I am
sending from, and for that matter what email I use, they are all strongly
tied to me.
* Global history - All those signings are often archived on the web, usually
in mailing list archives. This provides a history of my usage of a particular
key, making the key more effective. The more well-known and distributed a
key is, the harder it is to impersonate. It also helps people to trust me
when they need to, because they can go to Google and see a large history of
posts I have done over the years, all with the same key. So they must assume
that the key actually belongs to me, or that someone very determined has been
doing a real determined job of impersonating me for years.
* Exposure - It helps to encourage using cryptography in general. The more
widespread cryptography is, the safer it becomes and the harder for anyone
(e.g. the government) to suppress or control it.
* Education - Most people have no idea how insecure email is. There is no
authentication built in to the protocol. Spoofing is /extremely/ easy. By
signing my emails, I help make people aware of this fact.
* Reputation - By signing everything I send, I establish a pattern; people
know that if it is not signed, it is not by me. If I only did this on some
emails, it would be a lot harder for me to convince people that an unsigned
email was /not/ from me. Therefore, I sign all emails, regardless of their
"importance."
* Orneriness - To keep email client writers on their toes. :) Seriously,
the standards have been around for a long time, and there is no reason
for all email clients not to support handling MIME attached signatures,
as well as clearsigned ones like this.
- --
Greg Sabino Mullane greg at turnstep.com
PGP Key: 0x14964AC8 200307030932
-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html
iD8DBQE/BDVuvJuQZxSWSsgRApq1AJwJqE4lL/Ew/yCcFCCTu7J9rCkzsQCfRUz8
60aJ/6sf1SKLdME4T8d2JAQ=
=fxMu
-----END PGP SIGNATURE-----
More information about the Discuss
mailing list