Question regarding clearsigning emails automatically

David Champion
Thu, 14 Dec 2000 11:03:13 -0600

On 2000.12.14, in <>,
	"Lars Hecking" <> wrote:

> IMHO signing list email is a useless and wasteful exercise, especially
> if the sender hasn't submitted his/her keys to the public keyservers.
> In this situation, those who have configured their encrytion software
> to automatically import keys from these servers are penalised.
This has come up before in my conversation with others. I think that signing all mail as a policy is a waste of resources and a potential source of annoyance, whether it's list mail or not. I think that sensitive material (code patches, or authoritative announcements of new software releases, or analyses of the latest Communications Prohibition Act, and the like) ought to be signed if possible; anyone who is concerned about the validity of the message can check the signature if they like. But, by and large, it doesn't matter. I don't really care whether it was really the person I know as Lars Hecking who wrote the message I'm replying to right now. It only matters what's said in this case, and not much who said it. If I want to confirm all this, I can write to Lars and he can sign it. If I sign my mail to Lars, he'll quite possibly even sign his reply. But chances are exceedingly small that any given item of information really needs to be corroborated. Since PGP became available, I've been asked only a handful of times to resend something with a signature. I'm reluctant to believe that's only because people don't know that I have a signing key. Having the signatures come up, and my mailer and OpenPGP client freeze while I wait to download a signature that might and might not be on the server that I use, only to discover that the signed material doesn't even need validation, is somewhat irritating at times - semi-political privacy agenda or no. -- -D. NSIT University of Chicago -- Archive is at - Unsubscribe by sending mail with a subject of "unsubscribe" to