-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello!
Moritz Bartl <mor...@headstrong.de> wrote: > On 11/29/2016 10:25 AM, Peter Gutmann wrote: > >> [...] Signed-Only Mails are Useless [...] > > Yup, and it's for exactly the reasons given there that the S/MIME WG decided > > many years ago not to sign messages sent to the list. Courts, similarly, > > rule > > on the intent of the signer, not some attached bag of bits (see e.g. Steven > > Mason's excellent "Electronic Signatures in Law"). So while I wouldn't go > > so > > far as to call them harmful, I'd agree that they're mostly useless, unless > > you're using one to make some special point. Even then, if it's for legal > > purposes, a court will look at almost everything but the signature when > > deciding on its effect. > > This is a dangerous and wrong statement. For one, you are > making a case based purely on previous cases in US courts, > which is a very US-centric view, and dangerous for a discussion > that potentially affects all jurisdictions. Secondly, even > within US law, even if you're right in what you are saying, the > absoluteness of your statement makes it wrong. There are also purposes which have nothing to do with laws and contracts. One: Signatures don't just prove that the content is authentic, in practice they also work in the other direction - associating content and online identity with the signing key. A large amount of e-mails, consistently authored by the same persona and signed by the same key is as strong a signal of trustworthiness (of the key) as anything the web of trust or keyservers can provide. In many ways, it's stronger and more practical, because I probably care more about communicating with the person that wrote all those messages, than I care about government issued IDs or how diligent the author is at updating keyservers or attending keysigning parties. Um, in my opinion. I don't know if there is research which quantifies these assertions. So take with as many grains of salt as you feel appropriate. :-) Two: For automated signaling which affects the behaviour of the mail client behind the scenes, it'd be nice if third parties can't just inject/strip content. The OpenPGP header is an example of such a thing, such things get proposed quite frequently. A digital signature which covers [parts of] the header would be immensely useful - I know PGP doesn't usually do this, but it should and there are efforts to make it so. So that argues for moving things in the opposite direction, signing more, not less. This kind of thing is the main reason Mailpile signs by default. I worry about the usability, but I just think signatures are too useful to abandon them. - Bjarni -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYSGTJAAoJEI4ANxYAz5SRbwkIAKKF4Jigjr4ULUNwPeCDKVPe iwbTQApvF+Km3q9Ecq+GGTPKGZD69IGHD9Ls9qgmK+wJK01bwJnSjFNSw3HYLVNq DqAtreCIff9a72rlxvjXBoKUy/jAx9oXxPnnVbJNsaeEu43NNaMSzHW2ZZOd1cH8 m1vjz+QY1yEnJ1lu/NkV/npFspG4T9yQTabbAG+/NE5UhFSjEHZSQL/bg0gFhWsB vf40dL8lvdI+iZ6/KQCe5YurgsMQtrWU2RkDdlTrD9mEaDJsoNtBCCzz0j12jebj nWBV9e3ojniDZcndQh7vQ4wkoL6szdt7gHbtuXQNoghnhDIyKIlYlK0Q5uSpBPs= =GDiV -----END PGP SIGNATURE-----
_______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
