ietf
[Top] [All Lists]

Re: authenticated email

2003-06-05 06:42:24
> is there any particular disadvantage or centralization of power implied in > me signing this message with my PGP key?

IMHO none (except for the extra inocnvenience of periodically
typing in the [long!] passphrase and hitting an extra key).

> If not, is there any particular reason that I shouldn't do this all the > time?

See above. :-)


 > It's not a solution, but is there a downside?

It depends on what you mean by signing. Signing a
message in and of itself ought not hurt anything
modulo software bugs, etc. But the real question
is what does the receiving program (MTA, MUA) do
with that signature? At the very least it could
verify the signature, but then what? If it doesn't
verify do you drop it? (transitive trust comes
into play, but most likely). Does it do anything
beyond that?

1. IMHO if the sig doesn't verify - you drop the e-mail
   (just like if IPsec packet comes with a corrupted MAC,
    you drop it).

2. Spammers might just generate one-day PGP key, self-sign it,
   upload to a server - and voila! - for this day they're free
   to send.

   So the trust will have to be established, only certain
   signatures be accepted, etc. This means - a closed list.
   I'd be OK with that, actually.

Let me ask something in return: do you think that
just the act of signing mail -- with no trust
roots implied -- could help? My sense is that it
might in a sow-the-seeds kind of way for some
later goodness (it's as you say not a solution).
I too would be happy to hear downsides.

It might be good - but I think it will be ineffective in
spam-war.






<Prev in Thread] Current Thread [Next in Thread>