Hi, On Thu, Feb 28, 2013 at 01:24:44PM -0600, Will Fiveash wrote: > I have a couple of comments about this: > > - Why sign most messages? Unless the information is important for > others to verify that it came from a particular person why add the > bloat of a signature. Beyond this I find it ironic that people sign > e-mail with a private key where its public key isn't found on a > standard PGP/GPG keyserver like pgp.mit.edu or kerckhoffs.surfnet.nl.
The point is - if you have no policy what to sign anyone could make up a message of yours and claim it wasnt signed. I can claim i have not sent a single unsigned message since '98 or something, be it private or work. Signing a mail might be a good hint for HAM detection but thats going to far. > - If one is concerned enough about allowing others to verify the > integrity of a message shouldn't this concern also extend to > attachments which are a classic attack vector? I my wet dreams i' encrypting every single message. But mutt is not very helpful in this. Yes - it can encrypt but i'd like mutt to decide automatically when it's capable of encrypting the mail (remember multiple To:, Cc:, Bcc). It would be okay to encrypt a mail if i have a key for all recipients. If not a nice way would be if mutt splits the mail into an encrypted one for all recipients i have a key for, and an unencrypted one for all i have no key. In times where all countrys try to get hold of your communication data it is best to try to encrypt all your communication - be it in transit or stored. Its all there: Encrypted filesystems be it truecrypt or dm-crypt, in transit e.h. ssh, smtp with STARTTLS, imaps and gnupg for your mails. Signing a mail is a sign of - i'd like to get all mails encrypted - this is the key i am using. Flo -- Florian Lohoff [email protected]
signature.asc
Description: Digital signature
