signatures for other people's emails

Hauke Laging mailinglisten at hauke-laging.de
Wed Apr 16 16:14:23 CEST 2014


Hello,

this is not GnuPG-specific, not even crypto-specific in the sense that I 
guess no real change to any crypto tool or standard would be necessary. 
Technically it's about a new MIME container usage but crypto-related. I 
hope here are the right people to comment on that. Somehow I prefer 
getting slammed here over the openpgp working group mailing list...

This idea came from a real experience a few days ago. I am trying to get 
crypto usage on a large scale to one of Germany's biggest universities 
(FU Berlin). The CS and math departments organize a small (but official) 
information event. I give four real courses (inofficial but supported by 
the dean; http://crypto.spline.de/). As this is mainly about peer 
pressure for the freshman students I wanted to teach some of the Ph.D. 
students crypto first. We invited about 30 people, none even reacted.

I was told that this effect was less about the offer itself but more 
about the point that this was "one more email from a stranger to a group 
of people". I.e. probably not even read by many of them.

That was the example, now the idea:

With a small change to the PGP/MIME standard this would have been 
possible: I write the email but do not send it to the intended 
recipients but to the dean first. He makes a signature (some easy one-
click feature maybe with a comment) about the email (or about my 
signature) and sends it back to me. Then I add his signature to my email 
and send it to the recipients. Now this happens: The recipients still 
see an email from a stranger to a group of people but now their mail 
client tells them that their dean (and maybe even more people) supports 
this email.

Of course, you have noticed that a crypto feature does not work in a 
mail which shall make people start using crypto but you get the idea. 
This would be possible without crypto, too, but I guess to easy to abuse 
for being accepted.

I guess it would be enough to replace the signature container by a 
multipart container with several signatures. Somehow the real sender 
signature would have to be marked (or rather: the support signatures 
should be marked as such, either implicitly by being a signature over 
the sender signature or explicitly by a notation).

I don't want to be too optimistic but I guess this could be so useful 
that it might actually become a reason for the not so small "I have 
nothing to hide" group to start using crypto.


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140416/3c39c3fa/attachment.sig>


More information about the Gnupg-users mailing list