[Cryptography] PGP-Signed Email

Jason Richards jjr2 at gmx.com
Sun Aug 27 03:29:27 EDT 2017


StealthMonger:
> In a posting claiming to be from Jason Richards <jjr2 at gmx.com>but
> lacking a signature, it is written:
> 
>> StealthMonger:
>>> In an unsigned mail it is written:
> 
>> And on that note: there aren't too many PGP-signed emails sent to
>> this list.  Many years ago I used to sign all of my emails, however
>> I came to the conclusion that this is really quite pointless:
>>
>> o it proves only that whoever sent the email had access to my
>> private key at the time; and
>> o provides non-repudiation, which is bad in the case that the person
>>   who had access to my private key wasn't me.
> 
> These are reasons to use a strong PGP key and protect it well, not to
> not use PGP signing at all.

Indeed, they are reasons for me to protect my key well, and also
reasons to cast doubt on the sender of a signed email as I cannot check
the extend to which the claimed sender has protected her key. I know
too many people with good security knowledge and bad opsec.

>> So, my question then is: what are the benefits of always sending
>> PGP-signed email ... especially on open email lists such as this?
> 
> PGP signing enables to accrue a reputation which cannot be spoiled by
> malicious forgery, and cannot be stolen.  This is especially important
> for someone who is known only by her Internet utterances, such as a
> persistent pseudonym.

Ah, yes, thank you, I had not considered this. As there is no one to
verify the sender it is left to technology to to so.

Exactly the sort of answer I was looking for!

J


More information about the cryptography mailing list