PGP signatures

Kris Sorem Sr PMMAIL Discussion List <PMMAIL-L@VM.EGE.EDU.TR>
Fri, 23 Apr 1999 00:24:05 -0700 

I personally don't care if a message is sent with HTML or a PGP signature.
BOTH serve a purpose for the sender not the recipient. HTML is useless in
a text based email program but it could be loaded into a browser to see
what the sender intended by the format. A  PGP signature is useless unless
the recipient uses PGP AND has obtained the public key for the sender.
BOTH require extra effort on the part of the recipient. Actually, most PGP
users, like Steve, sign their messages twice.

On Thu, 22 Apr 1999 14:47:49 -0700, Steve Lamb wrote:

>    As for why I do it, an analogy is in order.

I think the analogy could be a little more accurate.
>
>    In our society we have letters and postcards.  Oddly enough, the majority
>of us sign them both.  Out mark made by our hand is quite difficult to
>duplicate.  Like it or not, it is a reassurance that the individual on the
>other end is who they say they are.  Ironically, though, this is not often
>the case in the business world.  But I digress, the point is, they are
>signed.

Actually, signing a letter or postcard personalizes it. The recipient,
unless a handwriting expert, has no way of knowing whether the signature
is valid for the individual represented. In this respect, it is not a
reassurance.
>
>    My PGP is such a signature.  It is unique to me and me alone.  Only I can
>envoke it, no one else can.  I sign all paper correspondance, I sign all
>electronic corrispondence.

Your PGP signature is a certification of your identity and the message's
contents. This is not the same as signing all correspondence. You appear
to electronically sign all your messages and then certify that identity
with PGP.
>
>    Furthermore, people are in the habit of putting a majority of their
>corrispodence inside an envelope.  This is done for some privacy.  A majority
>of the letters that are sent really don't need an envelope.  In fact, chances
>are, they would never be read.  So they don't need envelopes, they all should
>use post cards, right?

Actually, letters provide more space to write than do postcards. This is
why the majority of correspondence is in letter form. Letters are sent in
an envelope for convenience not necessarily for privacy and it provides
the sender some assurance that the post office will deliver all pages
intact. If privacy was the major concern, fax machines would not be so
popular. At present, electronic post offices are capable of delivering
electronic letters without the need for an envelope (ie encryption).
>
>    But reverse it.  If everyone sent a postcard and someone sent an envelope
>people would wonder what is in it, what is so important that it needs to be
>hidden?
>
>    In the electronic world the privacy envelope is the encryption.  Right
>now everyone is sending mail with postcards.  Only "important" stuff is sent
>via envelopes.  I am of the opinion that everything should be sent via
>envelopes and be signed, just as in the paper world.  This is because privacy
>is our right and unless exercised to its fullest it draws attention at the
>times you don't want it to.

IMO, the equivalent of this in the paper world would be: write a letter,
sign the letter, have the letter notarized, put it in an envelope, seal
the envelope with a tamper proof seal, and send it by certified or
registered mail. This really isn't necessary for all correspondence that
you send to someone else.
>
>    To that end, I sign everything in the electronic world as I do in the
>paper world.  I intend, when technology catches up to my desires, to encrypt
>everything I can to people whose keys I have.

Well, you sign and notarize everything in the electronic world because it
is convenient to do so. In this respect, you treat electronic
correspondence more important than paper correspondence. I doubt that you
sign all your letters, have the letter notarized, and then place it in a
tamper proof sealed envelope. It is just not very convenient to do so.
>
>    I post something on a bulletin board for people to read, I sign it,
>important or not.  Same as a mailing list.

I sign correspondence too. I just don't notarize (PGP) relatively
unimportant correspondence. You can check a signature and postmark on a
paper letter. While it's easier to alter electronic mail, you can check
the electronic signature (if it has one) and the message header for the
expected source. Both are the very much the same but you cannot be
absolutely certain that it came from the individual represented in either
case.
>
>    I write a private message to my mom thanking her for an address she sent
>me, I'm going to sign it and put it into an envelope.  Be it a written
>signature and a paper signature or a digital signature and a cryptographic
>envelope.

Yes, but do you do you have that thank you letter notarized to verify your
signature and then send it in a tamper proof sealed envelope?
>
>    I do it not because I feel each message is important, but because they
>aren't.

Apparently, only because it is more convenient than doing the same with
paper correspondence.
>
>    If you don't like that, tough, filter me, I really don't care.  I'm on
>many people's filters on this list, one more won't kill me.  And quite
>frankly, nothing you say will change the matter.

Like I said earlier, I really don't care. I'm just pointing out the
disparity in how electronic and paper correspondence are handled. This
disparity leads to objections on the part of some individuals .
>
>    Oddly enough, of the 30+ lists I'm on on this address (which, BTW, is the
>only one I sign with right now) this is the only list I've ever received
>complaints.  Another list over half the people sign messages to it.  That
>list is a much more technical list than this one.  You'd think they would
>complain more than people on this list since, from time to time, those people
>have been known to debate wasted bandwidth on the bit level.

I have no problem with your desire to notarize your messages. I am curious
to know one thing. If you had to pay a fee to send a PGP signed message
like you would if you notarized a letter, would you still send all your
messages with a PGP signature?

>
>- --
>         Steve C. Lamb         | I'm your priest, I'm your shrink, I'm your
>         ICQ: 5107343          | main connection to the switchboard of souls.
>- -------------------------------+---------------------------------------------

Above is your electronic signature.
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPsdk version 1.0 (C) 1997 Pretty Good Privacy, Inc
>
>iQCVAwUBNx+ZBaC6xbtZwvdnAQEVNQP8DrbdVP0AsOb05YJVllAnDhKHLjMQo7dt
>1lFTCSHX/4LNz1NL/ofVLk6iiksdBCswlR4A/8kAd/iAChHwieL5lKfqElhUr1go
>0g+Jen1n6J5+/yEmXw/lKpLgGv0rkJRt/6EkGO+5qGH2HqdewfuG2NCLxjfa9/+0
>JC1DB9gc6kA=
>=qGWs
>-----END PGP SIGNATURE-----

Above is your notarized signature.


--
ATB,
/s/~Kris