signing + mailing lists

John A. Martin jam@jamux.com
Thu Sep 20 16:33:02 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "JRM" == Justin R Miller
>>>>> "signing + mailing lists"
>>>>> Tue, 18 Sep 2001 16:44:58 -0400
JRM> There has been some involved discussion on the mutt-users JRM> list about digitally signing messages sent to mailing lists, JRM> with plenty of good arguments on both sides. I'm curious as JRM> to what peoples' opinions over here are. =20 One compelling reason for PGP signing all mail is so that you have creditable deniablity when someone falsifies mail making it look as if it came from you. To be creditable you want to have established the pattern long before the trouble arises. It is more important in this connection to have a well established history of signing all mail than it is that each correspondent be willing or able to verify every signature. With news and mailing lists there is a good chance that someone besides you will spot a PGP message that does not verify. In my experience the only significant mail based process that has been persistently unable to handle PGP signed mail was the domain registration services at NAI but that problem was easily solved when other registrars became available. (BTW and ironically, forged and spoofed domain registration templates was the first impersonation with material consequences that I had to deal with. I would estimate that during the last 8 years or so I have seen at least two or three incidents of email impersonation among my acquaintances.) Another reason is for recognition. When you use one signature consistently for many purposes folks can recognize the owner of your PGP key as a consistent "network identity" even when they have had no way to verify your real world identity through the web of trust. GPG 'lsign-key' is convenient for keeping track of such keys. Finally the social and political reasons for making visible and routine use of cryptography, including signatures, is at least as important now as it was ten years ago when Phil Zimmerman and others urged folks to PGP sign all email. One can now choose signatures that are smaller and less obtrusive than was possible just a few years ago. jam -----BEGIN PGP SIGNATURE----- Comment: OpenPGP encrypted mail preferred. See <http://www.gnupg.org/> iEYEARECAAYFAjup/X0ACgkQUEvv1b/iXy/5eQCdGHUIna6dNK5SIJQDBNTHN915 Md4Anj4ldgFtS+K6CQJZTZzkP73CobEn =H/07 -----END PGP SIGNATURE-----