On Fri, Mar 01, 2013 at 12:09:28PM -0500, Mark H. Wood wrote: > On Thu, Feb 28, 2013 at 01:24:44PM -0600, Will Fiveash wrote: > > - Why sign most messages? Unless the information is important for > > others to verify that it came from a particular person why add the > > bloat of a signature. Beyond this I find it ironic that people sign > > e-mail with a private key where its public key isn't found on a > > standard PGP/GPG keyserver like pgp.mit.edu or kerckhoffs.surfnet.nl. > > I sign all my messages so that I can say, "I sign all my messages. > Don't believe anything claiming to be from me, if it is unsigned." > > Sure, I could violate my own policy at any time, but...why? Why put > my name on a message that I've repudiated in advance?
The why is that you are adding needless bloat to most messages you send. Take for example the message you sent that I'm responding to. Does anyone care that it actually came from you and wasn't tampered with? I doubt it. On the other hand, I would be interested in validating the integrity of a message from you if it contained a patch to mutt that I was interested in. Also note that I've seen mail lists I belong to reject mail that has any attachment including digital signatures. I'm not happy with that behavior but I've learned to be pragmatic. > I look forward with pleasant anticipation but not much hope, to the > day when I can set maildrop to discard all unsigned mail before I see it. Yes, given all the issues around digital signatures and key management I rarely sign or check signatures unless I have a good reason. -- Will Fiveash
