What is the benefit of signing an encrypted email

Nicholas Cole nicholas.cole at gmail.com
Tue Jan 18 19:12:00 CET 2011


On Tue, Jan 11, 2011 at 10:04 AM, jimbob palmer <jimbobpalmer at gmail.com> wrote:
> In Firefox I can sign or encrypt or encrypt+sign an e-mail.
>
> In what case would I want my encrypted emails also signed? Does it
> provide any additional benefit over a pure encrypted email?

It is, in fact, trivial to 'forge' email - that is to send email
pretending to be someone else.  All you need to do is tell your
computer to send out email with a different "From:" line.  Most smtp
servers will forward an email from an authenticated user (or from
anyone on the network) without checking that the From line matches
their approved email address.  This is, for the most part, a feature,
not a bug.  There are various schemes to prevent this from being
possible (or at least undetectable) and OpenPGP offers one way -
albeit one that places a great demand on the sysadmin or the user or
both.

In fact, email is forged every day in just this way - but most of it
is such obvious spam that it is easier for the human eye to weed out
than it is to set up an OpenPGP, which is why so few people have ever
done so.

Back when I was a student a friend of a friend of a friend got very
drunk and started forging emails in this way pretending to be the
Dean.  But even these were such obvious forgeries, and the other email
headers were so detailed, that it did not require OpenPGP to detect
him.

Best wishes,

Nicholas



More information about the Gnupg-users mailing list