sign encrypted emails
dougb at dougbarton.us
Sat Jan 4 02:28:05 CET 2014
On 01/03/2014 01:28 AM, Robert J. Hansen wrote:
> On 1/3/2014 3:33 AM, Doug Barton wrote:
>> This threat model doesn't make a lot of sense, except for very naive
>> users who cannot distinguish the importance of a message that is
>> encrypted vs. a message (encrypted or not) which is signed.
> I'm going to cautiously disagree. What we call "very naive users"
> account for the vast majority of GnuPG users.
I don't necessarily disagree with you on that. :)
> Unfortunately, that's as far as my disagreement goes. I see what
> Hauke's getting at, but I disagree that it really amounts to much of a
> problem, or that his proposed fix would work.
> The real problem Hauke's discovered is, "people generally don't have the
> educational background to think formally and critically about trust."
> Which is, well, true -- but that one's a hell of a hard problem to
> solve. Everything else (including "sign-encrypt-sign" schemes) amounts
> to just ways to try to dodge the real issue.
Yes, that is the point I was trying to get across.
... and I did actually suggest a solution to the problem Hauke is
(ostensibly) trying to solve. The sender can include a statement in
their signed message regarding whether or not they also encrypted it
before sending. However I would still argue that doing so would have no
Thinking further, what *may* be useful would be for the mail client to
pop up a message that says something similar to, "This message was
encrypted, but not signed. No assumptions should be made about the
validity of the message itself."
In the end however there is no substitute for user education. :-/
More information about the Gnupg-users