why do you sign your mails?
i noticed lots of users pgp-sign their mails to mailing-lists. what exactly is the reason/usecase/attackvector you defend against for that? what exactly is the reason for doing so on public mailing lists? and why does it make sense to sign irrelevant messages like "+1" or "just kidding" - assuming no stego usecase is in play. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt
Mail client's configured to. Also, it establishes a history of key use in a public forum. On 25 June 2014 10:20:50 GMT+01:00, stef <s@ctrlc.hu> wrote:
i noticed lots of users pgp-sign their mails to mailing-lists. what exactly is the reason/usecase/attackvector you defend against for that? what exactly is the reason for doing so on public mailing lists? and why does it make sense to sign irrelevant messages like "+1" or "just kidding" - assuming no stego usecase is in play.
-- otr fp: https://www.ctrlc.hu/~stef/otr.txt
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Dnia środa, 25 czerwca 2014 11:20:50 stef pisze:
i noticed lots of users pgp-sign their mails to mailing-lists. what exactly is the reason/usecase/attackvector you defend against for that? what exactly is the reason for doing so on public mailing lists? and why does it make sense to sign irrelevant messages like "+1" or "just kidding" - assuming no stego usecase is in play.
I sign my e-mails for the same reasons I undersign them. E-mail is dead-easy to forge, so when I have something to say, I sign it in a way to ensure that it's as unforgeable as possible. I sign *all* my e-mail (and try to encrypt as much as possible, but that's another thing), even trivial, so that if anybody gets e-mail from me that is *not* signed, they will be more likely to suspect foul play. -- Pozdr rysiek
Dnia środa, 25 czerwca 2014 11:20:50 stef pisze:
i noticed lots of users pgp-sign their mails to mailing-lists. what exactly is the reason/usecase/attackvector you defend against for that? what exactly is the reason for doing so on public mailing lists? and why does it make sense to sign irrelevant messages like "+1" or "just kidding" - assuming no stego usecase is in play.
One more reason: spreading the word about GPG/PGP. This actually helps get people interested in encryption, and helps also inform people that do have a GPG/PGP key (but for different reasons do not use them on a general basis), that here's a person that does use it, and it's possible to encrypt e-mails to that person. Which might not be all that important on cpunks, I give you that, but a rule is a rule. ;) -- Pozdr rysiek
On Jun 25, 2014, at 5:52 AM, rysiek <rysiek@hackerspace.pl> wrote:
Dnia środa, 25 czerwca 2014 11:20:50 stef pisze:
i noticed lots of users pgp-sign their mails to mailing-lists. what exactly is the reason/usecase/attackvector you defend against for that? what exactly is the reason for doing so on public mailing lists? and why does it make sense to sign irrelevant messages like "+1" or "just kidding" - assuming no stego usecase is in play.
One more reason: spreading the word about GPG/PGP. This actually helps get people interested in encryption, and helps also inform people that do have a GPG/PGP key (but for different reasons do not use them on a general basis), that here's a person that does use it, and it's possible to encrypt e-mails to that person.
Which might not be all that important on cpunks, I give you that, but a rule is a rule. ;)
I do it to let the people I am communicating with through plaintext email know that I am setup and configured to handle encrypted communications. All they need to do is pull my pub key off of a key server and then our communications are encrypted from that point forward. The prevention of being impersonated is also one reason, along with a way to secretly signal to the recipient that I am under duress and my words may not be my own. Course that all goes out the window when emailing from my cellphone. That ain’t no way I want my private key on my cellphone. Thank you, Scott Blaydes ========================\ /---------------------------------------------------------- scott@sbce.org \ / *BSD/Linux Advocate crypto user GPG 096EECF0D8A2381E \/ Society for Better Computing Ethics gpg key on keyserver / \ http://sbce.org/ -------------------------------------------/ \==================================
On 26/06/2014 06:55, Scott Blaydes wrote:
On Jun 25, 2014, at 5:52 AM, rysiek <rysiek@hackerspace.pl> wrote:
i noticed lots of users pgp-sign their mails to mailing-lists. what exactly is the reason/usecase/attackvector you defend against for that? what exactly is the reason for doing so on public mailing lists? and why does it make sense to sign irrelevant messages like "+1" or "just kidding" - assuming no stego usecase is in play. One more reason: spreading the word about GPG/PGP. This actually helps get
Dnia środa, 25 czerwca 2014 11:20:50 stef pisze: people interested in encryption, and helps also inform people that do have a GPG/PGP key (but for different reasons do not use them on a general basis), that here's a person that does use it, and it's possible to encrypt e-mails to that person.
Which might not be all that important on cpunks, I give you that, but a rule is a rule. ;) I do it to let the people I am communicating with through plaintext email know that I am setup and configured to handle encrypted communications. All they need to do is pull my pub key off of a key server and then our communications are encrypted from that point forward.
The prevention of being impersonated is also one reason, along with a way to secretly signal to the recipient that I am under duress and my words may not be my own.
Course that all goes out the window when emailing from my cellphone. That ain’t no way I want my private key on my cellphone. Maybe you could create a signing subkey specifically for your cell phone.
Thank you, Scott Blaydes
========================\ /---------------------------------------------------------- scott@sbce.org \ / *BSD/Linux Advocate crypto user GPG 096EECF0D8A2381E \/ Society for Better Computing Ethics gpg key on keyserver / \ http://sbce.org/ -------------------------------------------/ \==================================
cryptomars cryptoparty.fr
On Jun 26, 2014, at 4:50 AM, Cryptoparty Marseille <cryptomars@cryptoparty.fr> wrote:
Course that all goes out the window when emailing from my cellphone. That ain’t no way I want my private key on my cellphone.
Maybe you could create a signing subkey specifically for your cell phone.
That is a good idea, but I just don’t feel comfortable doing anything GPG/PGP related on my phone. Part of it is paranoia, part of it is grounded in reason. If confiscated by a LEO, the fact that I have encryption related apps will make my phone even more interesting to them. Thank you, Scott Blaydes
participants (5)
-
Cathal (phone) -
Cryptoparty Marseille -
rysiek -
Scott Blaydes -
stef