Signing all outgoing mails on MTA, not on MUA

Chris Babcock cbabcock at kolonelpanic.com
Fri Mar 27 16:56:14 CET 2009


On Fri, 27 Mar 2009 15:47:27 +0100
Christoph Gröver <grover at sitepark.com> wrote:

> This way nobody has to think about it and signing works transparently
> for everyone. We would have one key for all, like a corporate key.

You may want to ask legal how they feel about adding nonrepudiation
automatically to every message.

If you had a system where you could make a meaningful assertion about
the identity of a mail originator and you could secure a key without
using a passphrase then you might use OpenPGP to make that assertion
by operating GnuPG in batch mode. It's much more likely, however, that
the type of identity you wish to assert is not compatible with the
OpenPGP model and that the security infrastucture is inadequate to make
that assertion meaningfully. Think, for example, about key signing. Who
would be qualified to verify that the key is connected with the
identity in any meaningful way?

The corporate value of public key cryptography is much more readily
attained using DKIM. Milter setup and key management for signing DKIM
mail is pretty straight forward. You place your key in Text records in
DNS. That establishes a meaningful connection between the identity
of the sender (or at least ownership of the mail server) and the owner
of the domain. Setting up DKIM with Postfix was at least as easy as
setting up GPG with Claws and it makes an identity assertion that is
appropriate for a server environment.

Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: </pipermail/attachments/20090327/8e8af00e/attachment.pgp>


More information about the Gnupg-users mailing list