mikaela.github.io/PGP/WhyDoISignEmails.html

<!DOCTYPE html>
<html>
<head>
<meta name="description" content="Explaining about why do I sign my emails using PGP." /> <meta name="keywords" content="PGP,email,GPG,spoofing,cacert,inline,PGP/INLINE,PGP/MINE,clearsign,Thunderbird,Icedove,Enigmail," /> <meta name="author" content="Mika Suomalainen" /> <link rel="canonical" href="http://mkaysi.github.com/PGP/WhyDoISignEmails.html"> <meta charset="UTF-8" />
<title>
Why do I sign emails, which I send?
</title>
<link rel="stylesheet" type="text/css" href="../tyyli.css" />
</head>
<hr/>
<a href="../sitemap/sitemap.html">Sitemap</a>
<hr/>

<h1 id="signing-emails.">Signing emails.</h1>
<h2 id="why-do-you-sign-all-your-messages">Why do you sign all your messages?</h2>
<p>The signature is evidence that message comes from me. If I sign all my messages, I can say that I sign all my messages and possibly unsigned offensive content, which is spoofed to &quot;come&quot; from my address, isn't sent by me.</p>
<h3 id="who-would-want-to-spoof-you">Who would want to spoof you?</h3>
<p>I don't know, but it seems that some people want. On 06.10.12 there has been spam attack against [Limnoria's pastebin] where the pasted message has title which contains some nicks (including mine) from #Limnoria at freenode and then Limnoria bot announces it on #Limnoria and spams people.</p>
<p>What does this have to do with me? I was sleeping when this started around 00:30 Finnish time (UTC+3), but the pasted message claims</p>
<pre><code>Pasted by Mkaysi.</code></pre>
<p>Everyone knows that I am known as Mkaysi at multiple places, but that paster isn't me. If I pasted something, the paster name would be &quot;Mkaysi&quot;.</p>
<p>Maybe I will start signing all my pastes in the future. There is [feature request for pastebinit] about that.</p>
<h4 id="expection">Expection</h4>
<p>School forces me to send some emails without signing them when I am not at home.</p>
<h3 id="but-it-doesnt-prove-anything-you-can-just-leave-offensive-content-unsigned.">But it doesn't prove anything, you can just leave offensive content unsigned.</h3>
<p>True, I could do that. But I don't have habit of writing offensive text and saying that it doesn't come from me.</p>
<h2 id="your-signature-doesnt-mean-anything-anyway-because-you-arent-part-of-any-trust-web.">Your signature doesn't mean anything anyway, because you aren't part of any trust web.</h2>
<p>Actually, I am, but my key is only signed by bots (see below).</p>
<p>You might have &quot;import-minimal&quot; or &quot;import-clean&quot; in your keyserver-options in your gpg.conf, so you don't see the signatures. If you don't have them, run</p>
<blockquote>
<p>gpg --keyserver pool.sks-keyservers.net --refresh-keys 0x4DB53CFE82A46728</p>
</blockquote>
<p>and signatures should appear.</p>
<p><em>NOTE</em>: My key contains information, that my preferred keyserver is pool.sks-keyservers.net, so it's used with --refresh-keys with my key even if you speify another keyserver. This isn't the case if you use very old version of my key.</p>
<h3 id="why-you-dont-get-signatures-from-some-bot-certificate-authority">Why you don't get signatures from some bot certificate authority?</h3>
<h4 id="pgp-global-directory"><a href="https://keyserver.pgp.com/vkd/GetWelcomeScreen.event">PGP Global Directory</a></h4>
<p>I have got signature from <a href="https://keyserver.pgp.com/vkd/GetWelcomeScreen.event">PGP Global Directory</a>, it wanted only to confirm my email addresses.</p>
<h3 id="hushmail"><a href="https://www.hushtools.com/">Hushmail</a></h3>
<p>I have got signature from <a href="https://www.hushtools.com/">Hushmail</a>. It wanted only to confirm email addresses too.</p>
<h3 id="cacert"><a href="https://cacert.org/">CAcert</a></h3>
<p>According to &quot;Locate assurer&quot; feature at <a href="https://cacert.org/">CAcert</a>, the nearest assurer is 110KM away from me.</p>
<h4 id="why-did-you-mention-cacert">Why did you mention <a href="https://cacert.org/">CAcert</a>?</h4>
<p><a href="https://wiki.cacert.org/PgpSigning">https://wiki.cacert.org/PgpSigning</a></p>
<h1 id="clearsigninginline-signing">Clearsigning/INLINE signing</h1>
<h2 id="why-do-you-gpg-clearsign-your-emails-instead-of-using-pgpmime-or-something-less-spammy">Why do you GPG clearsign your emails instead of using PGP/MIME or something less spammy?</h2>
<ol class="incremental" style="list-style-type: decimal">
<li><p>Some mailing list software mess up with headers and make PGP/MIME signatures unverifiable at least to Enigmail. Some people say that that what those mailing lists do is completely valid. It's up to you to believe in Enigmail developers or other people.</p>
<p>Which mailing lists do that?</p>
<p>At least the following:</p>
<ol class="incremental" style="list-style-type: decimal">
<li><p><a href="https://lists.ubuntu.com">Ubuntu mailing lists</a>. See also <a href="https://bugs.launchpad.net/bugs/996581">bug 996581 at Launchpad</a>.</p></li>
<li><p><a href="https://www.mozdev.org/mailman/listinfo">Mozdev mailing lists</a>.</p></li>
<li><p><a href="http://lists.gnupg.org/mailman/listinfo/">GnuPG mailing lists</a>.</p></li>
</ol></li>
<li><p>INLINE messages are easier to verify manually (presuming that charset doesn't cause problems).</p>
<p>There are many web archives and sometimes people want to verify signatures of emails, which they didn't receive. Think about <a href="http://bugs.debian.org/">Debian BTS</a>.</p></li>
<li><p><a href="https://github.com/k9mail/k-9">K9 Mail</a> doesn't support PGP/MIME.</p></li>
<li><p><a href="http://bugs.debian.org/">Debian BTS</a> doesn't send working PGP/MIME back in subscribtion confirmations.</p>
<p>In my opinion, it's easier to check did you request something with [Ðebian BTS] if it has content, which is signed with your key.</p></li>
</ol>
<h2 id="but-clearsigned-signature-looks-ugly.">But clearsigned signature looks ugly.</h2>
<p>This is the problem of your email client. If you use <a href="https://mozilla.org/thunderbird">Thunderbird or Icedove or Seamonkey</a>, you can probably install <a href="http://enigmail.mozdev.org/home/index.php.html">Enigmail</a> and that signature block gets hidden. If you use some other email client, please report bug for that package in your distribution or upstream bug tracker.</p>
<p><strong>Enigmail doesn't hide the keyblock unless you import the key</strong></p>
<h2 id="importing-keys-automatically">Importing keys automatically</h2>
<p>To import keys automatically (when you receive email/file/whatever that is signed and you don't have the key), you have two options. Remember that this imports keys of other people too, so you will be seeing less large ugly character messes. :)</p>
<h3 id="enigmail">Enigmail</h3>
<p>Go to &quot;OpenPGP&quot; --&gt; &quot;Settings&quot; --&gt; &quot;Show Expert Settings&quot; --&gt; &quot;Keyserver&quot; and enter keyserver address to the second box. I recommend pool.sks-keyservers.net as it's the most popular. (Please note that I am using Enigmail in Finnish so I have translated these places from Finnish to English, they might have different names to you).</p>
<blockquote>
<p>pool.sks-keyservers.net</p>
</blockquote>
<h3 id="gnupg-level">GnuPG level</h3>
<p>If you are using GPG, you can add two lines to your gpg config file. In Linux and Mac that means ~/.gnupg/gpg.conf, with Windows it means &quot;C:.conf&quot; (or something like that).</p>
<pre><code>keyserver pool.sks-keyservers.net
keyserver-options no-include-revoked auto-key-retrieve</code></pre>
<p>If you are worried about space usage of your public keyring, you can add &quot;import-clean&quot; or &quot;import-minimal&quot; after &quot;auto-key-retrieve&quot;. The first removes all useless signatures from the key (=signatures from keys that aren't in your keyring) and the second removes all signatures from the key.</p>
<p>I am importing keys fully and I have 118 different public keys in my keyring and the space usage is 4,4M. I am on multiple mailing lists where some people use PGP or GPG.</p>
<h2 id="i-am-on-slow-connection-and-your-signature-is-too-big-for-me.">I am on slow connection and your signature is too big for me.</h2>
<p>And what does that have to do with INLINE signature? In PGP/MIME you would download the same mess, but inside signature.asc file.</p>
<h1 id="other-things">Other things</h1>
<h2 id="why-did-you-write-this-page">Why did you write this page?</h2>
<p>Because I am fed up explaining myself on some mailing lists. This page will be linked in my email signature and I will ignore every question about things, which read on this page.</p>
<h2 id="so-you-are-just-ignorant-and-want-to-spam-people">So you are just ignorant and want to spam people?</h2>
<p>I want to raise awareness about PGP and that it's very easy to spoof emails from addresses of other people. As stated previously, I will also ignore claims like that.</p>
</html>

<hr/>

<div id="disqus_thread"></div>
<script type="text/javascript">
/* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
var disqus_developer = 0; 
var disqus_url = 'http://mkaysi.github.com/PGP/WhyDoISignEmails.html';
var disques_title = 'Why do I sign emails using PGP';
var disqus_shortname = 'mkaysishomepage'; // required: replace example with your forum shortname
/* * * DON'T EDIT BELOW THIS LINE * * */
            (function() {
                var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = 
true;
                dsq.src = 'http://' + disqus_shortname + '.disqus.com/embed.js';
                (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0])
.appendChild(dsq);
            })();
        </script>
        <noscript>
Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Dis qus.</a>
</noscript>

<p>
<a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus </span></a>
</p>
<!-- vim : set ft=html -->