nanog mailing list archives

Re: Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT

From: "Stephen Sprunk" <ssprunk () cisco com>
Date: Wed, 10 Jul 2002 15:30:24 -0500


Thus spake "Andy Dills" <andy () xecu net>

Yes, but once again you must consider content, given that most mail
clients don't automatically verify signatures. Most of us will have to
make a judgement call as to whether or not to bother to check the
signature.

The higher the degree of "importance" of the content, the more likely I am
to check the signature, and the more likely I am to take verification
steps if not signed.

If the content is not "important", I won't bother checking the signature.


Why not just upgrade to a modern MUA and not have to worry?

OE only supports S/MIME for now, but it does automatically verify every message,
including checking that the From: line matches the key.  It makes a big stink if
the signature doesn't match, but just displays a simple little icon if it's
verified correctly.  How can you prefer to check messages manually and therefore
cause the problems you describe?

Lest anybody confuse my argument, I think PGP signatures are a good thing.
I just don't think people need to sign everything they send. And I'm
talking about posts to Nanog here, not private communication. In private
communication, it's reasonable to sign most everything sent with official
business purpose.


Ironically, there's no need to sign intrabusiness email because it's trackable
by trusted authorities and therefore implicitly trusted for non-legal matters.
It's personal email that needs a trust mechanism.

If the majority of mail clients automatically verified pgp signatures, I
would be totally in favor of signing every single email. But the simple
fact is that not only do most mail clients not support that, many mail
clients can't even display the signed text inline! Surely a compromise is
needed for now.


Sure.  Use old-style signatures if you're going to sign every message, and we
can transition to new-style signatures once most people upgrade.

S

Current thread:

Re: Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT Andy Dills (Jul 10)
- Re: Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT Chris Woodfield (Jul 10)
- Re: Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT Brad Knowles (Jul 15)
  - Re: Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT deeann mikula (Jul 15)
- <Possible follow-ups>
- Re: Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT Andy Dills (Jul 10)
  - Re: Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT Scott Francis (Jul 10)
  - Re: Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT Stephen Sprunk (Jul 10)
    - Re: Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT JC Dill (Jul 10)
  - Re: Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT Brad Knowles (Jul 15)
    - Re: Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT Christian Kuhtz (Jul 15)