On 2000.12.14, in <[EMAIL PROTECTED]>,
"Lars Hecking" <[EMAIL PROTECTED]> wrote:
>
> IMHO signing list email is a useless and wasteful exercise, especially
> if the sender hasn't submitted his/her keys to the public keyservers.
> In this situation, those who have configured their encrytion software
> to automatically import keys from these servers are penalised.
This has come up before in my conversation with others. I think that
signing all mail as a policy is a waste of resources and a potential
source of annoyance, whether it's list mail or not. I think that
sensitive material (code patches, or authoritative announcements of new
software releases, or analyses of the latest Communications Prohibition
Act, and the like) ought to be signed if possible; anyone who is
concerned about the validity of the message can check the signature if
they like.
But, by and large, it doesn't matter. I don't really care whether it
was really the person I know as Lars Hecking who wrote the message I'm
replying to right now. It only matters what's said in this case, and
not much who said it. If I want to confirm all this, I can write to
Lars and he can sign it. If I sign my mail to Lars, he'll quite
possibly even sign his reply. But chances are exceedingly small that
any given item of information really needs to be corroborated. Since
PGP became available, I've been asked only a handful of times to resend
something with a signature. I'm reluctant to believe that's only
because people don't know that I have a signing key.
Having the signatures come up, and my mailer and OpenPGP client freeze
while I wait to download a signature that might and might not be on the
server that I use, only to discover that the signed material doesn't
even need validation, is somewhat irritating at times - semi-political
privacy agenda or no.
--
-D. [EMAIL PROTECTED] NSIT University of Chicago
