[Cryptography] PGP-Signed Email

Jason Richards jjr2 at gmx.com
Sun Aug 20 22:30:02 EDT 2017


StealthMonger:
> In an unsigned mail it is written:

And on that note: there aren't too many PGP-signed emails sent to this
list. Many years ago I used to sign all of my emails, however I came to
the conclusion that this is really quite pointless:

o it proves only that whoever sent the email had access to my private
  key at the time; and
o provides non-repudiation, which is bad in the case that the person
  who had access to my private key wasn't me.

This thread that I have hijacked shows a use case for signing, but,
outside that, is there any evidence or even any suspicions that email
sent to a list like this is likely to be or has been maliciously
modified in transit, without otherwise being detected, and therefore
would benefit from signing?

I understand that there is a perceived value in signing all emails,
thereby establishing a habit which "proves" that an unsigned email did
not come from the apparent sender; however in practice I have noticed
that there are often occurrences where a machine is being rebuilt or an
email is sent from a mobile device or some other thing happens in which
the sender who always sends PGP-signed emails can't, therefore
destroying that entire benefit.

So, my question then is: what are the benefits of always sending
PGP-signed email and calling out when email is not signed, especially on
open email lists such as this?

J


More information about the cryptography mailing list