What is the benefit of signing an encrypted email
Robert J. Hansen
rjh at sixdemonbag.org
Tue Jan 18 15:31:30 CET 2011
On 1/18/11 6:36 AM, Hauke Laging wrote:
> If I regularly write emails to somebody and once he gets a mail that
> is not signed then he is to be distrustful.
Why? This seems like you're saying, "I reserve the right to decide what
someone else's security policy is, particularly which messages they
trust and which they distrust." Which is totally bogus.
> This is not about convincing someone that a certain email has not
> been written by me (as in your example) but to assure him that you
> have written certain emails.
A good signature from a validated key belonging to a trusted person can
do this. But that's it.
> Incapability of solving the first is not an argument against solving
> the second.
It is an argument against believing that it does -- as in your example
where the absence of a signature causes someone to distrust a message.
A signature or the lack thereof cannot demonstrate that a message is
untrustworthy.
> So why would somebody who cares about not being blamed for the
> content use an email address that refers to him? Somebody who cares
> about security?
A good rule of thumb is that nobody is as smart as they think. Master
criminals are few and far between. People make mistakes, and
malcontents are no exception. Claiming, "I never signed up for that,
look at that email address, would I do that?", would receive a response
of, "Rob, are you forgetting I've had you in some of my classes? I've
/seen/ some of the brainos you've made on exams. I don't find it
implausible."
> In my opinion non-signing requires the receiver to be distrustful
> about the source.
You don't get to decide this. The receiver gets to decide his or her
own policy.
> But in a non-technical way.
I doubt you will find many people who agree that your proposal does not
increase the technical complexity.
More information about the Gnupg-users
mailing list