sign encrypted emails

[Doug Barton]

On 01/03/2014 01:28 AM, Robert J. Hansen wrote:
> On 1/3/2014 3:33 AM, Doug Barton wrote:
>> This threat model doesn't make a lot of sense, except for very naive
>> users who cannot distinguish the importance of a message that is
>> encrypted vs. a message (encrypted or not) which is signed.
>
> I'm going to cautiously disagree.  What we call "very naive users"
> account for the vast majority of GnuPG users.

I don't necessarily disagree with you on that. :)

> Unfortunately, that's as far as my disagreement goes.  I see what
> Hauke's getting at, but I disagree that it really amounts to much of a
> problem, or that his proposed fix would work.
>
> The real problem Hauke's discovered is, "people generally don't have the
> educational background to think formally and critically about trust."
> Which is, well, true -- but that one's a hell of a hard problem to
> solve.  Everything else (including "sign-encrypt-sign" schemes) amounts
> to just ways to try to dodge the real issue.

Yes, that is the point I was trying to get across.

... and I did actually suggest a solution to the problem Hauke is 
(ostensibly) trying to solve. The sender can include a statement in 
their signed message regarding whether or not they also encrypted it 
before sending. However I would still argue that doing so would have no 
real benefit.

Thinking further, what *may* be useful would be for the mail client to 
pop up a message that says something similar to, "This message was 
encrypted, but not signed. No assumptions should be made about the 
validity of the message itself."

In the end however there is no substitute for user education. :-/

Doug