signing + mailing lists

John A. Martin jam@jamux.com
Thu Sep 20 16:33:02 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "JRM" == Justin R Miller

>>>>> "signing + mailing lists"

>>>>>  Tue, 18 Sep 2001 16:44:58 -0400


    JRM> There has been some involved discussion on the mutt-users
    JRM> list about digitally signing messages sent to mailing lists,
    JRM> with plenty of good arguments on both sides.  I'm curious as
    JRM> to what peoples' opinions over here are. =20

One compelling reason for PGP signing all mail is so that you have
creditable deniablity when someone falsifies mail making it look as if
it came from you.  To be creditable you want to have established the
pattern long before the trouble arises.  It is more important in this
connection to have a well established history of signing all mail than
it is that each correspondent be willing or able to verify every
signature.  With news and mailing lists there is a good chance that
someone besides you will spot a PGP message that does not verify.  In
my experience the only significant mail based process that has been
persistently unable to handle PGP signed mail was the domain
registration services at NAI but that problem was easily solved when
other registrars became available.  (BTW and ironically, forged and
spoofed domain registration templates was the first impersonation with
material consequences that I had to deal with.  I would estimate that
during the last 8 years or so I have seen at least two or three
incidents of email impersonation among my acquaintances.)

Another reason is for recognition.  When you use one signature
consistently for many purposes folks can recognize the owner of your
PGP key as a consistent "network identity" even when they have had no
way to verify your real world identity through the web of trust.  GPG
'lsign-key' is convenient for keeping track of such keys.

Finally the social and political reasons for making visible and
routine use of cryptography, including signatures, is at least as
important now as it was ten years ago when Phil Zimmerman and others
urged folks to PGP sign all email.  One can now choose signatures that
are smaller and less obtrusive than was possible just a few years ago.

	jam

-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP encrypted mail preferred.  See <http://www.gnupg.org/>

iEYEARECAAYFAjup/X0ACgkQUEvv1b/iXy/5eQCdGHUIna6dNK5SIJQDBNTHN915
Md4Anj4ldgFtS+K6CQJZTZzkP73CobEn
=H/07
-----END PGP SIGNATURE-----