[Cryptography] PGP-Signed Email

grarpamp grarpamp at gmail.com
Thu Aug 24 00:31:11 EDT 2017


On Sun, Aug 20, 2017 at 10:30 PM, Jason Richards <jjr2 at gmx.com> wrote:
> is there any evidence or even any suspicions that email
> sent to a list like this is likely to be or has been maliciously
> modified in transit, without otherwise being detected, and therefore
> would benefit from signing?

ex: people are broadcasting "donate to me" addresses while using
shitty VPN's, proxies, caches, exits, TLS MITM, services, etc.
These can and do get rewritten by malactors / bitrot.

> I understand that there is a perceived value in signing all emails,
> thereby establishing a habit which "proves" that an unsigned email did
> not come from the apparent sender

Yes, few sig 100% of time, so this proves nothing, even if so.
And sorting out repudiation assertions / miss-sigs is often not too easy.

A greater value of sig is establishing key history to email address / context,
of any frequency, so that key somewhat more easily trusted... vs cold asking
for a key from some address in a "now" situation when key is needed,
and address may in fact be compromised, where key / person may
not yet be, etc. Suprisingly low frequency needed to establish that.

No crypto is panacea... requires threat models, context, assertions,
analysis, proofs, etc.

> https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html


More information about the cryptography mailing list