ietf-openpgp
[Top] [All Lists]

Re: [openpgp] On Signed-Only Mails

2016-11-30 03:42:44
On 30 November 2016 at 10:03, Alexander Strobel 
<Alexander(_dot_)Strobel(_at_)giepa(_dot_)de>
wrote:

Am 29.11.2016 um 10:18 schrieb Vincent Breitmoser:
Hi all,

(cross-posting on openpgp and messaging mls)

during my work on bringing OpenPGP to K-9 Mail, I found myself
reevaluating a lot of things. This time it's about signed-only mails.

In short, my conclusion so far is that signed-only mails are very rarely
useful, they are holding OpenPGP back as a solution for encrypted
e-mail, and in the interest of usability we should not roll them out in
email crypto solutions on equal terms with encryption.

I don't think signed only emails are useless. In my personaly opinion I
would love to see all companies sending out signed emails that contain
invoices.
If any company would change their email addresses or someone from
another department sends me an email, I would know that this is
(presumably) not a phishing attack. [... snip ...]
Sure, the company had to put the fingerprints of their key(s) on their
website or tell it on the phone and I would have to check it, but that's
not a very big problem.
Maybe I miss something but, in this case signing seems a good idea to me.


Yes, conceptually this is a very good case for signing e-mails. In fact,
many companies already do this with more light-weight DKIM signatures. As
an added bonus, users (or UI makers) are saved the hassle of manual key
management because the signing keys are simply available in DNS.

-Thijs van Dijk
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
<Prev in Thread] Current Thread [Next in Thread>