:: Request-Remailing-To: wilcoxb@nag.cs.colorado.edu Subject: Why I don't sign all my mail Latent-Time: +0:00 Cutmarks: #-- -----BEGIN PGP SIGNED MESSAGE----- Bryce - you write:
Thanks for the info, Bill. I have a question: why are you sending e-mail in the clear and without authentication? I don't expect that anyone would want to forge mail from you to me, but I would be pleased if I could be a little more certain of those things, and besides "Think of it as a form of solidarity."
Convenience, mostly. Encryption and signature are semi-different issues. If I clear-sign something, and you don't want to check it, it doesn't cause you any trouble, but for most people, getting mail that's encrypted takes extra work, especially if they're following proper security procedures for their PGP implementations (not running it on insecure systems, not leaving passphrases in cleartext for autosigners, etc.) Think of proper security as "solidarity with people who need real security" :-). (Yeah, I also run PGP on insecure systems, mainly for signature-checking, but I do use separate keys that have words like "insecure" in the userid strings.) The big issues are convenient interfaces with my email system. Private Idaho's gotten good enough that if I want to send encrypted/signed/etc. email, I can grab the mail I want to send into the clipboard (or compose it inside PI), add headers for who to send it to, pull down a couple menu items, and it pops into PGP; when it's done, another menu choice dumps the completed message back into Eudora, and the next version can send it out directly if I prefer. On the other hand, moving mail _from_ Eudora _to_ PI is still a couple actions (separate cut/pastes for the body, address, and Subject:), so I don't usually bother. The other convenience problem is key-handling for people whose keys I don't already have. PGP is too slow on a PC to haul the entire keyserver database into my pubkey files. So either I have to send email to a key-server (non-real time, especially since I do most of my email off-line), or use finger. Unfortunately, your key wasn't on the keyservers, and I don't have a decent PC finger client now that I'm using Trumpet Winsock instead of Netcruiser (the finger client I use doesn't allow cut&paste to the clipboard, screen-grabs didn't get me text, and I did eventually get most of your key information by doing several "telnet you@machine 79"s until one of them got the data before the session closed :-) Ugly... And then there's the key validation problem - your key isn't signed by anyone except yourself (yeah, ok, mine's only got signatures from previous keys of mine, which have signatures from expired keys from the people who signed mine :-) So my signature isn't as meaningful as it could be, since you probably can't validate it, and I can't guarantee having a valid public key for you to send you anything important. So I guess I need to go get my keys signed by a couple people, and so do you, and the next code project on my wait-until-3.0 list should probably be a recursive key-signature digger... Meanwhile, Private Idaho is at ftp.eskimo.com/u/j/joelm/, and it's now working with ViaCrypt-for-Windows as well as PGP 2.6.* for DOS. Thanks; Bill Stewart stewarts@ix.netcom.com -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQBVAwUBMCMPB/thU5e7emAFAQFYPAH7BXuxp0BCWKg8v/Uv6QzUQKSix3Zff3Kw FzBeSgDNN9KrOHEaUmemDXcBmcRabyeZyxrFTcgypvwADai1SYA45w== =Ht4c -----END PGP SIGNATURE----- #-- #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- # Crypto in 3-4 lines of perl --> http://dcs.ex.ac.uk/~aba/