[Cryptography] PGP-Signed Email
Phillip Hallam-Baker
phill at hallambaker.com
Thu Aug 24 20:25:27 EDT 2017
On Wed, Aug 23, 2017 at 9:17 PM, Moritz Bartl <moritz at headstrong.de> wrote:
> On 21.08.2017 04:30, Jason Richards wrote:
> > So, my question then is: what are the benefits of always sending
> > PGP-signed email and calling out when email is not signed, especially on
> > open email lists such as this?
>
> Here's a statement by K9Mail developer Vincent Breitmoser that
> underlines your point in a blog post titled "Signed-Only Mails
> Considered Harmful":
>
>
I disagree with the analysis. Signed email is no more complex if every
mail is signed and will be rejected otherwise. At that point, the
complexity is reduced because spam is a very different issue.
A more precise analysis would be signed SMTP mail is more complex.
The 'legal' analysis is naive and wrong. Adding a digital signature does
not change your liability because an electronic signature is equally
binding. The risk of a lost private key is irrelevant because a signature
only creates a rebuttable presumption of validity.
Many schemes bind a disclaimer into the signature, this is why SAML
assertions have an audience condition.
In short, these are issues that a protocol designer has to bear in mind
when developing a messaging application. They are not reasons it cannot
work.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170824/d52caf10/attachment.html>
More information about the cryptography
mailing list