Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT

Andy Dills andy at xecu.net
Wed Jul 10 19:45:41 UTC 2002


On Wed, 10 Jul 2002, Jordyn A. Buchanan wrote:

> Your facts are correct, but you're missing one so your conclusion is wrong.
>
> You need to verify the signature in order to be able to rely on it.
> However, if one usually does not consistently sign their messages, then it
> becomes entirely plausible that a spoofed message lacks a signature not
> because the forger does not have the capability to generate the signature,
> but simply because the sender simply neglected to attach a signature (yet
> again).  In this case, unsigned data is accorded roughly the same level of
> authenticity as signed data.

Yes, but once again you must consider content, given that most mail
clients don't automatically verify signatures. Most of us will have to
make a judgement call as to whether or not to bother to check the
signature.

The higher the degree of "importance" of the content, the more likely I am
to check the signature, and the more likely I am to take verification
steps if not signed.

If the content is not "important", I won't bother checking the signature.


Lest anybody confuse my argument, I think PGP signatures are a good thing.
I just don't think people need to sign everything they send. And I'm
talking about posts to Nanog here, not private communication. In private
communication, it's reasonable to sign most everything sent with official
business purpose.

If the majority of mail clients automatically verified pgp signatures, I
would be totally in favor of signing every single email. But the simple
fact is that not only do most mail clients not support that, many mail
clients can't even display the signed text inline! Surely a compromise is
needed for now.

Andy

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Andy Dills                              301-682-9972
Xecunet, LLC                            www.xecu.net
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dialup * Webhosting * E-Commerce * High-Speed Access




More information about the NANOG mailing list