<div dir="ltr"><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 23, 2017 at 9:17 PM, Moritz Bartl <span dir="ltr"><<a href="mailto:moritz@headstrong.de" target="_blank">moritz@headstrong.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On <a href="tel:21.08.2017%2004" value="+12108201704">21.08.2017 04</a>:30, Jason Richards wrote:<br>
> So, my question then is: what are the benefits of always sending<br>
> PGP-signed email and calling out when email is not signed, especially on<br>
> open email lists such as this?<br>
<br>
</span>Here's a statement by K9Mail developer Vincent Breitmoser that<br>
underlines your point in a blog post titled "Signed-Only Mails<br>
Considered Harmful":<br>
<br></blockquote><div><br></div><div><div class="gmail_default" style="font-size:small">I disagree with the analysis. Signed email is no more complex if every mail is signed and will be rejected otherwise. At that point, the complexity is reduced because spam is a very different issue.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">A more precise analysis would be signed SMTP mail is more complex.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">The 'legal' analysis is naive and wrong. Adding a digital signature does not change your liability because an electronic signature is equally binding. The risk of a lost private key is irrelevant because a signature only creates a rebuttable presumption of validity. </div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Many schemes bind a disclaimer into the signature, this is why SAML assertions have an audience condition. </div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">In short, these are issues that a protocol designer has to bear in mind when developing a messaging application. They are not reasons it cannot work.</div><br></div><div> </div></div></div></div>