[messaging] On Signed-Only Mails
robryk at gmail.com
Wed Dec 7 15:42:32 PST 2016
On Wed, Dec 7, 2016 at 8:36 PM, Bjarni Runar Einarsson <bre at pagekite.net> wrote:
> Signatures don't just prove that the content is authentic, in
> practice they also work in the other direction - associating
> content and online identity with the signing key.
Why attaching your public key to every e-mail you send doesn't serve
this purpose in the same degree? Note that if someone was in a
position to tamper with the attached public key, they could have also
tampered with the signature by replacing it with a signature signed by
a key they control.
> A large amount of e-mails, consistently authored by the same
> persona and signed by the same key is as strong a signal of
> trustworthiness (of the key) as anything the web of trust or
> keyservers can provide. In many ways, it's stronger and more
> practical, because I probably care more about communicating with
> the person that wrote all those messages, than I care about
> government issued IDs or how diligent the author is at updating
> keyservers or attending keysigning parties.
More information about the Messaging