What is the benefit of signing an encrypted email

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 12 17:15:48 CET 2011


On 01/12/2011 10:57 AM, Robert J. Hansen wrote:
> Speaking for Enigmail, it's because 99% of the time signatures are worthless.
> They contribute to the illusion of data integrity while actually
providing no
> guarantees.  It's best if you only sign messages you deliberately
intend to
> sign, messages where you believe all three conditions are met and the
signature
> contributes to the overall integrity of the communication.  We believe
this is
> the responsible thing to do, rather than encouraging our users to buy
into a
> false sense of security.

I agree with Robert that enigmail's choice of defaults (don't autosign
every message) is a good thing, though i think i'd phrase the concern a
little differently.  I wouldn't say "signatures are worthless" (i sign
nearly all of my outbound mail), but i do think that people should only
sign messages they intend to sign and have thought about.

Hopefully, this thoughtfulness extends into thinking about their message
making sense even if it is seen out-of-context. For example, a signed
e-mail message with a Subject: header of "Proposal X" and a body of "I
say we should do it!" can be trivially repurposed by a backer of
Proposal Y to imply that the same person supports Y instead of X (since
only the e-mail body is signed, and not the headers).

If enigmail were to default to signing everything, then it would sign
messages for people that they have not thought about.  As a result, that
weakens the meaning of their signature, to the point where even if they
*have* thought about and decided to sign any given message, the fact
that their signature is attached thoughtlessly to so many other messages
makes it dubious.

So enigmail defaults to not sign every outbound message in order to keep
the value of your signature high by not applying it to things you
haven't thought about.

For those who make the conscious decision to sign all their e-mails, and
think consciously about what they send, there's nothing wrong with
changing the default (though you should get used turning off signing
when you realize you're about to send a message that might not be
context-independent or where the signature might screw something up).

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110112/9b86d834/attachment.pgp>


More information about the Gnupg-users mailing list