* Greg Black <[EMAIL PROTECTED]> wrote: > On 2006-02-24, Peter Saint-Andre wrote:
> > Personally I doubt that anything other than a small percentage of > > email will ever be signed, let alone encrypted (heck, most people > > on this list don't even sign their mail). My personal experience differs. The people that have set up some kind of encryption to protect their privacy will use it at best and advertise such a possibility at the very least. Be it via kludges, email headers, footers, inline signatures, word of mouth (websites). The important fact is they do something. I did a little research on my email of the past month, both public mailinglists and private mail. The vast majority of private email was signed (and encrypted with both sender and recipient being part of the WoT), with public mailings showing a slightly increasing number of signed mailings. I realize that's far from being representative, but that's really the way it should be. > That's at least partly because too many mailing lists either reject > signed messages out of hand or, worse, have subscribers who use > providers that reject signed messages and then spam you with their > idiotic bounce messages. That's too true. Emails with signatures as attachements are often blocked (or with attachements removed altogether) because of the omnipresent virus-hype; I strongly believe that coping with possible virus threats is definitely not the job of a mailinglist software. But there's still the possibility of inline signatures. As to the ISP issue, it would make perfect sense to me to switch ISPs because of such bounce messages. However, I personally know of some that are better not mentioned by name, and sadly don't regret their practice. Net-neutrality has to be existent! Back to topic; e.e. both mutt, and its recent offspring mutt-ng, easily allow to adapt, as do other mail user agents out there. I strongly recommend to use such features if present. In the past I've seen forged signatures added to SPAM mails, so it's about time to sharpen the public's view on the matter. On a sidenote: From what I've heard, most banks don't bother much with encryption and solely focus on message integrity. Well, even if one shares the rather naive viewpoint of having nothing to hide (but still doesn't run naked; I wonder why...) it just can't hurt of having integrity added to ones own messages. I'm going to repeat soon: It doesn't have to be the full package right from the start. And with phishing attacks becoming more and more sophisticated it's only a matter of time until the public has to deal with the whole issue of integrity. > Keeping track of which lists allow signed email and which don't is > impractical if you subscribe to hundreds of lists, so the simple > thing is to tick the "don't sign" box on list messages. Sad but true. However, IMHO, that's also equal to "I give up <sigh>" and clearly the wrong path one could possibly choose. Nonetheless, I guess it's safe to assume the ordinary user to have only a handful of mailinglists subscribed; granted, some people receive tens of mailinglists, but hundreds? Let's don't forget the time involved. I subscribed to 30 mailinglists, and to my licking there is not a single one lacking the more or less occasional signed mailings. One could argue with the list admins to allow signatures; that's usually an up-hill battle that still can be won by inline signatures. Of course, it's a hassle in terms of getting a working setup but it is far worse to leave the battlefield to the enemy. By doing so one gives the masses a wrong impression of the actual ease, once locally implemented, of being able to add integrity to one's messages. And that's only one step short of the actual much needed privacy, imho. Veryfing the integrity of a message lies at the receiving end, after all. That's where one has to start. It doesn't have to be the whole thing about encryption, message signing, WoT, etc. right from the start, curiosity will do the rest. In essence: A barbeque about such a topic will suffice. In my experience I can proudly point to some bowling/poker events that did the trick for some people. "It's not wrong, it's a start..." > In this case, since Peter's message was signed, I know this list > allows signatures. So I'll sign this message. Add me to the list (and forgive the pun please). Even if this list would not, with the sig added as attachement, I would do so via inline signature. So, why not always sign messages to a list that permits signatures? > But the signature will be of limited utility, as not one of the > several email addresses on my signature is a match for the email > address I am sending this from. Again, lists being what they are, > I use a different address for most lists and my PGP key would > become absurd if I added several hundred addresses to it. That's why I use a sole key for mailinglists and related encrypted mailings, additionally to my private and work keys. Works like a charm ever since. To avoid confusion I only permit my private and work keys to be signed. > I personally would prefer to sign every email I send. I'd also > prefer to encrypt all non-public messages. I am fully competent in > the use of the current technology, but it turns out to be not > practical to use. I agree that there's much work ahead. Still, I sign almost every message, be it private or public, and if possible sign and encrypt. That's personal taste of course, but I'd like to see such a pattern much more often in modern daily life. Quite frankly, I wouldn't have thought this topic would emerge the way it has on a cryptography mailinglist. Maybe it's about time to publish my article "Why Cryptography Is Important In Modern Life" after all (don't hold your breath; with me being pretty busy it's not due until after eastern). -- left blank, right bald
pgp9hCW9Nx0UP.pgp
Description: PGP signature
