[messaging] On Signed-Only Mails

stef s at ctrlc.hu
Tue Nov 29 06:47:26 PST 2016

On Tue, Nov 29, 2016 at 10:18:37AM +0100, Vincent Breitmoser wrote:
> In short, my conclusion so far is that signed-only mails are very rarely
> useful, they are holding OpenPGP back as a solution for encrypted
> e-mail, and in the interest of usability we should not roll them out in
> email crypto solutions on equal terms with encryption.

afaik the lack of rsa-pss in openpgp means that two signed mails can be used
to recover the signing rsa public key. so actually no need to send out pubkeys
if you autosign with rsa keys ;)

another a problem is that autosigning means that either 1/ you have your
key/password cached which is nice for recoverymalware, or 2/ you have to type
you password a lot, also nice for keyloggingmalware, 3/ you have no password
on it at all /o\. anyway in most cases the frequency of key-exposure is
unnecessarily inflated.

on certain mailinglists or email leaks repudiation might also be a factor.
this also leads to the question that mails in archive have other requirements
than messages in transit.

More information about the Messaging mailing list