[Cryptography] PGP-Signed Email

[Tom Mitchell]

On Wed, Aug 23, 2017 at 6:17 PM, Moritz Bartl <moritz at headstrong.de> wrote:

> On 21.08.2017 04:30, Jason Richards wrote:
> > So, my question then is: what are the benefits of always sending
> > PGP-signed email and calling out when email is not signed, especially on
> > open email lists such as this?
>
> Here's a statement by K9Mail developer Vincent Breitmoser that
> underlines your point in a blog post titled "Signed-Only Mails
> Considered Harmful":
>
> https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html


For lists like this it seems some individuals wish to share their key
and a way to validate their identity.
This is a public list and there is no great way to send encrypted
messages to all yet a signed message is possible.

So to cross the bridge from identity in a group to sending a secure
message to an individual some
signed only traffic makes sense.   As Vincent (in M. Bartl's message)
stated it is added complexity and not free.

I think the list managers once a year or two might start a thread to
allow many to send
a signed message and a way to get their public keys. March first at
4:15am or April first?

It might best be addressed in the welcome message to the effect that
"after lurking for awhile
and when a thread of interest surfaces that you wish to contribute to
sign one and only one contribution"
to that thread if and only if signing messages is important.

We have had some discussions on how to manage an encrypted lists...
complexity is obvious.
Encryption with multiple recipients To:, Cc:, Bcc: & From:  is an
interesting problem...  A good solution
might have sorted Hillary email issues into a different bucket.



-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170826/15b6fb7d/attachment.html>