Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT
Stephen Sprunk
ssprunk at cisco.com
Wed Jul 10 20:30:24 UTC 2002
Thus spake "Andy Dills" <andy at xecu.net>
> Yes, but once again you must consider content, given that most mail
> clients don't automatically verify signatures. Most of us will have to
> make a judgement call as to whether or not to bother to check the
> signature.
>
> The higher the degree of "importance" of the content, the more likely I am
> to check the signature, and the more likely I am to take verification
> steps if not signed.
>
> If the content is not "important", I won't bother checking the signature.
Why not just upgrade to a modern MUA and not have to worry?
OE only supports S/MIME for now, but it does automatically verify every message,
including checking that the From: line matches the key. It makes a big stink if
the signature doesn't match, but just displays a simple little icon if it's
verified correctly. How can you prefer to check messages manually and therefore
cause the problems you describe?
> Lest anybody confuse my argument, I think PGP signatures are a good thing.
> I just don't think people need to sign everything they send. And I'm
> talking about posts to Nanog here, not private communication. In private
> communication, it's reasonable to sign most everything sent with official
> business purpose.
Ironically, there's no need to sign intrabusiness email because it's trackable
by trusted authorities and therefore implicitly trusted for non-legal matters.
It's personal email that needs a trust mechanism.
> If the majority of mail clients automatically verified pgp signatures, I
> would be totally in favor of signing every single email. But the simple
> fact is that not only do most mail clients not support that, many mail
> clients can't even display the signed text inline! Surely a compromise is
> needed for now.
Sure. Use old-style signatures if you're going to sign every message, and we
can transition to new-style signatures once most people upgrade.
S
More information about the NANOG
mailing list