why do you sign your mails?

stef

25 Jun 2014 25 Jun '14

9:20 a.m.

i noticed lots of users pgp-sign their mails to mailing-lists. what exactly is the reason/usecase/attackvector you defend against for that? what exactly is the reason for doing so on public mailing lists? and why does it make sense to sign irrelevant messages like "+1" or "just kidding" - assuming no stego usecase is in play. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt

Show replies by date

Cathal (phone)

25 Jun 25 Jun

10:19 a.m.

Mail client's configured to. Also, it establishes a history of key use in a public forum. On 25 June 2014 10:20:50 GMT+01:00, stef wrote:

...

i noticed lots of users pgp-sign their mails to mailing-lists. what exactly is the reason/usecase/attackvector you defend against for that? what exactly is the reason for doing so on public mailing lists? and why does it make sense to sign irrelevant messages like "+1" or "just kidding" - assuming no stego usecase is in play.

-- otr fp: https://www.ctrlc.hu/~stef/otr.txt

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

rysiek

10:50 a.m.

Dnia środa, 25 czerwca 2014 11:20:50 stef pisze:

...

i noticed lots of users pgp-sign their mails to mailing-lists. what exactly is the reason/usecase/attackvector you defend against for that? what exactly is the reason for doing so on public mailing lists? and why does it make sense to sign irrelevant messages like "+1" or "just kidding" - assuming no stego usecase is in play.

I sign my e-mails for the same reasons I undersign them. E-mail is dead-easy to forge, so when I have something to say, I sign it in a way to ensure that it's as unforgeable as possible. I sign *all* my e-mail (and try to encrypt as much as possible, but that's another thing), even trivial, so that if anybody gets e-mail from me that is *not* signed, they will be more likely to suspect foul play. -- Pozdr rysiek

rysiek

10:52 a.m.

Dnia środa, 25 czerwca 2014 11:20:50 stef pisze:

...

i noticed lots of users pgp-sign their mails to mailing-lists. what exactly is the reason/usecase/attackvector you defend against for that? what exactly is the reason for doing so on public mailing lists? and why does it make sense to sign irrelevant messages like "+1" or "just kidding" - assuming no stego usecase is in play.

One more reason: spreading the word about GPG/PGP. This actually helps get people interested in encryption, and helps also inform people that do have a GPG/PGP key (but for different reasons do not use them on a general basis), that here's a person that does use it, and it's possible to encrypt e-mails to that person. Which might not be all that important on cpunks, I give you that, but a rule is a rule. ;) -- Pozdr rysiek

Scott Blaydes

26 Jun 26 Jun

4:55 a.m.

On Jun 25, 2014, at 5:52 AM, rysiek wrote:

...

Dnia środa, 25 czerwca 2014 11:20:50 stef pisze:

...
i noticed lots of users pgp-sign their mails to mailing-lists. what exactly is the reason/usecase/attackvector you defend against for that? what exactly is the reason for doing so on public mailing lists? and why does it make sense to sign irrelevant messages like "+1" or "just kidding" - assuming no stego usecase is in play.

One more reason: spreading the word about GPG/PGP. This actually helps get people interested in encryption, and helps also inform people that do have a GPG/PGP key (but for different reasons do not use them on a general basis), that here's a person that does use it, and it's possible to encrypt e-mails to that person.

Which might not be all that important on cpunks, I give you that, but a rule is a rule. ;)

I do it to let the people I am communicating with through plaintext email know that I am setup and configured to handle encrypted communications. All they need to do is pull my pub key off of a key server and then our communications are encrypted from that point forward. The prevention of being impersonated is also one reason, along with a way to secretly signal to the recipient that I am under duress and my words may not be my own. Course that all goes out the window when emailing from my cellphone. That ain’t no way I want my private key on my cellphone. Thank you, Scott Blaydes ========================\ /---------------------------------------------------------- scott@sbce.org \ / *BSD/Linux Advocate crypto user GPG 096EECF0D8A2381E \/ Society for Better Computing Ethics gpg key on keyserver / \ http://sbce.org/ -------------------------------------------/ \==================================

Cryptoparty Marseille

9:50 a.m.

On 26/06/2014 06:55, Scott Blaydes wrote:

...

On Jun 25, 2014, at 5:52 AM, rysiek wrote:

...
...
i noticed lots of users pgp-sign their mails to mailing-lists. what exactly is the reason/usecase/attackvector you defend against for that? what exactly is the reason for doing so on public mailing lists? and why does it make sense to sign irrelevant messages like "+1" or "just kidding" - assuming no stego usecase is in play. One more reason: spreading the word about GPG/PGP. This actually helps get

Dnia środa, 25 czerwca 2014 11:20:50 stef pisze: people interested in encryption, and helps also inform people that do have a GPG/PGP key (but for different reasons do not use them on a general basis), that here's a person that does use it, and it's possible to encrypt e-mails to that person.

Which might not be all that important on cpunks, I give you that, but a rule is a rule. ;) I do it to let the people I am communicating with through plaintext email know that I am setup and configured to handle encrypted communications. All they need to do is pull my pub key off of a key server and then our communications are encrypted from that point forward.

The prevention of being impersonated is also one reason, along with a way to secretly signal to the recipient that I am under duress and my words may not be my own.

Course that all goes out the window when emailing from my cellphone. That ain’t no way I want my private key on my cellphone. Maybe you could create a signing subkey specifically for your cell phone.

Thank you, Scott Blaydes

========================\ /---------------------------------------------------------- scott@sbce.org \ / *BSD/Linux Advocate crypto user GPG 096EECF0D8A2381E \/ Society for Better Computing Ethics gpg key on keyserver / \ http://sbce.org/ -------------------------------------------/ \==================================

cryptomars cryptoparty.fr

Scott Blaydes

2:48 p.m.

On Jun 26, 2014, at 4:50 AM, Cryptoparty Marseille wrote:

...

...
Course that all goes out the window when emailing from my cellphone. That ain’t no way I want my private key on my cellphone.

Maybe you could create a signing subkey specifically for your cell phone.

...

That is a good idea, but I just don’t feel comfortable doing anything GPG/PGP related on my phone. Part of it is paranoia, part of it is grounded in reason. If confiscated by a LEO, the fact that I have encryption related apps will make my phone even more interesting to them. Thank you, Scott Blaydes

3738

Age (days ago)

3739

Last active (days ago)

List overview

Download

6 comments

5 participants

participants (5)

Cathal (phone)
Cryptoparty Marseille
rysiek
Scott Blaydes
stef