[Cryptography] PGP-Signed Email
Jason Richards
jjr2 at gmx.com
Sun Aug 27 03:29:27 EDT 2017
StealthMonger:
> In a posting claiming to be from Jason Richards <jjr2 at gmx.com>but
> lacking a signature, it is written:
>
>> StealthMonger:
>>> In an unsigned mail it is written:
>
>> And on that note: there aren't too many PGP-signed emails sent to
>> this list. Many years ago I used to sign all of my emails, however
>> I came to the conclusion that this is really quite pointless:
>>
>> o it proves only that whoever sent the email had access to my
>> private key at the time; and
>> o provides non-repudiation, which is bad in the case that the person
>> who had access to my private key wasn't me.
>
> These are reasons to use a strong PGP key and protect it well, not to
> not use PGP signing at all.
Indeed, they are reasons for me to protect my key well, and also
reasons to cast doubt on the sender of a signed email as I cannot check
the extend to which the claimed sender has protected her key. I know
too many people with good security knowledge and bad opsec.
>> So, my question then is: what are the benefits of always sending
>> PGP-signed email ... especially on open email lists such as this?
>
> PGP signing enables to accrue a reputation which cannot be spoiled by
> malicious forgery, and cannot be stolen. This is especially important
> for someone who is known only by her Internet utterances, such as a
> persistent pseudonym.
Ah, yes, thank you, I had not considered this. As there is no one to
verify the sender it is left to technology to to so.
Exactly the sort of answer I was looking for!
J
More information about the cryptography
mailing list