> also, since most people on the list don't know you in real life, all > they know is that you're the same person who has always been writing > email under that name and with that PGP key. there's no real advantage > to doing this IMHO in most cases.
I disagree -- if Thomas didn't sign all his messages, i could write a message to this list, pretending to be him, and say, "Hey, there's a problem with mutt. You should all immediately apply the following patch. And don't worry about checking to make sure that it's not a trojan horse; after all, i'm Thomas. You can trust me." Even though you've never met him, and only know him as "that guy who posts to mutt-dev and signs messages with that key", you still want to be protected from someone else coming along and taking over that identity. Also, i'm not familiar with PGP, but at least with S/MIME, a signed message generally contains the sender's certificate (public key). So by signing your messages, it gets your certificate "out there". This means, for example, that someone could take just this signed message, extract my certificate, and send me an encrypted message --without having to contact any keyservers--. -- Mike Schiraldi VeriSign Applied Research
smime.p7s
Description: application/pkcs7-signature
