Mikaela/mikaela.github.io
1
0
Fork 0
mirror of https://github.com/mikaela/mikaela.github.io/ synced 2025-02-23 17:00:40 +01:00
Code Issues Projects Releases Wiki Activity
mikaela.github.io/PGP/WhyDoISignEmails.html.md
Mikaela Suomalainen 71138198bb PGP/WhyDoISignEmails: update.
2012-08-11 10:41:03 +03:00

4.0 KiB
Raw Blame History

Signing emails.

Why do you sign all your messages?

The signature is evidence that message comes from me. If I sign all my messages, I can say that I sign all my messages and possibly unsigned offensive content, which is spoofed to “come” from my address, isnt sent by me.

But it doesnt prove anything, you can just leave offensive content unsigned.

True, I could do that. But I dont have habit of writing offensive text and saying that it doesnt come from me.

Your signature doesnt mean anything anyway, because you arent part of any trust web.

Actually, I am, but my key is only signed by bots (see below).

You might have “import-minimal” or “import-clean” in your keyserver-options in your gpg.conf, so you dont see the signatures. If you dont have them, run

gpg keyserver pool.sks-keyservers.net refresh-keys 0x4DB53CFE82A46728

and signatures should appear.

NOTE: My key contains information, that my preferred keyserver is pool.sks-keyservers.net, so its used with refresh-keys with my key even if you speify another keyserver. This isnt the case if you use very old version of my key.

Why you dont get signatures from some bot certificate authority?

PGP Global Directory

I have got signature from PGP Global Directory, it wanted only to confirm my email addresses.

CAcert

According to “Locate assurer” feature at CAcert, the nearest assurer is 110KM away from me.

Why did you mention CAcert?

https://wiki.cacert.org/PgpSigning

Clearsigning/INLINE signing

Why do you GPG clearsign your emails instead of using PGP/MIME or something less spammy?

  1. Some mailing list software mess up with headers and make PGP/MIME signatures unverifiable at least to Enigmail. Some people say that that what those mailing lists do is completely valid. Its up to you to believe in Enigmail developers or other people.

    Which mailing lists do that?

    At least the following:

    1. Ubuntu mailing lists. See also bug 996581 at Launchpad.

    2. Mozdev mailing lists.

    3. GnuPG mailing lists.

  2. INLINE messages are easier to verify manually (presuming that charset doesnt cause problems).

    There are many web archives and sometimes people want to verify signatures of emails, which they didnt receive. Think about Debian BTS.

  3. K9 Mail doesnt support PGP/MIME.

  1. Debian BTS doesnt send working PGP/MIME back in subscribtion confirmations.

    In my opinion, its easier to check did you request something with [Ðebian BTS] if it has content, which is signed with your key.

But clearsigned signature looks ugly.

This is the problem of your email client. If you use Thunderbird or Icedove or Seamonkey, you can probably install Enigmail and that signature block gets hidden. If you use some other email client, please report bug for that package in your distribution or upstream bug tracker.

I am on slow connection and your signature is too big for me.

And what does that have to do with INLINE signature? In PGP/MIME you would download the same mess, but inside signature.asc file.

Other things

Why did you write this page?

Because I am fed up explaining myself on some mailing lists. This page will be linked in my email signature and I will ignore every question about things, which read on this page.

So you are just ignorant and want to spam people?

I want to raise awareness about PGP and that its very easy to spoof emails from addresses of other people. As stated previously, I will also ignore claims like that.