What is the benefit of signing an encrypted email

Hauke Laging mailinglisten at hauke-laging.de
Tue Jan 18 12:36:51 CET 2011 

Sorry, just found this one in my spam folder :-)

Am Mittwoch 12 Januar 2011 17:49:10 schrieb Robert J. Hansen:
> > a) usual ("not thought about") email, just as a first hard line of
> > defense against forgery
> 
> Doesn't work.
> 
> Here's the thought experiment I've been using for years.

OK, I was not very clear about what exactly I meant. There are different types 
of attack. I thought about securing the real communication. If I regularly 
write emails to somebody and once he gets a mail that is not signed then he is 
to be distrustful. This is not about convincing someone that a certain email 
has not been written by me (as in your example) but to assure him that you 
have written certain emails.

It is perfectly OK that GnuPG solves only one of these two problems. 
Incapability of solving the first is not an argument against solving the 
second.


> The Dean, not a fool, points out, "well, Rob, that doesn't actually mean
>  anything.  These opinions are so incendiary that if I wrote them I would
>  make it a point not to sign them, either, so that I could repudiate them
>  later.

So why would somebody who cares about not being blamed for the content use an 
email address that refers to him? Somebody who cares about security?


> Moral of the story: signatures do not protect against forgeries.  They
>  protect *individual messages* against being *modified without detection*. 

Just in the case that this individual message is known by the receiver to be 
signed.

In my opinion non-signing requires the receiver to be distrustful about the 
source.


> ... The other reason this is a nonstarter: you're now increasing the
>  complexity of the system.

But in a non-technical way. Everyone is used to the concept that cars, houses 
and mailboxes have locks of different quality.


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110118/6ac61d09/attachment.pgp>

More information about the Gnupg-users mailing list