[messaging] On Signed-Only Mails

Robert Obryk robryk at gmail.com
Wed Dec 7 15:59:12 PST 2016


On Thu, Dec 8, 2016 at 12:55 AM, Bjarni Runar Einarsson
<bre at pagekite.net> wrote:
> Robert Obryk <robryk at gmail.com> wrote:
>> On Wed, Dec 7, 2016 at 8:36 PM, Bjarni Runar Einarsson
>> <bre at pagekite.net> wrote:
>> > Signatures don't just prove that the content is authentic, in
>> > practice they also work in the other direction - associating
>> > content and online identity with the signing key.
>>
>> Why attaching your public key to every e-mail you send doesn't
>> serve this purpose in the same degree? Note that if someone was
>> in a position to tamper with the attached public key, they
>> could have also tampered with the signature by replacing it
>> with a signature signed by a key they control.
>
> If the software automatically attaches your public key to every
> single outgoing message, you will soon stop using the software
> because the recipients of your mail will be confused and angry.
> It's as simple as that.
Why doesn't this apply in the same degree to attaching the signature?
If you understood "attaching" as making a multipart message (sorry for
lack of clarity), then can't we just insert the key into the message
in the same way you'd want the signature to be inserted (be it inline,
as a part of multipart message, or part of the header)?

Cheers,
Robert

> There are other reasons, but that one is sufficient. Usability
> matters!


More information about the Messaging mailing list