[messaging] On Signed-Only Mails

Phillip Hallam-Baker phill at hallambaker.com
Sun Dec 4 13:12:51 PST 2016


If you can trust the key, signed only mail is very useful. In fact there is
much more use of S/MIME for authentication than for confidentiality.

The use of digital signatures to agree contracts is a red herring. You can
use digital signatures to establish a contract but the use of digital
signatures does not change what email can do already. There are plenty of
contracts that have been enforced after the parties agreed to them by email.

Signing a message produces a rebuttable presumption of authenticity. It
does not and cannot provide a presumption of intent to offer or accept an
offer of a contract unless used in a context in which that is expressly
established. In most situations where this is done, there is a rule book
that is agreed to.

Right now there are big holes in the trust models for OpenPGP and for
S/MIME. So saying there is no use for signature because the trust model is
really saying you need to fix the trust model. Which we already knew.

If I trust a key enough to send confidential documents to it then I trust
it enough to verify against the signature.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20161204/95c25494/attachment.html>


More information about the Messaging mailing list