Thus spake "Andy Dills" <andy@xecu.net>
Yes, but once again you must consider content, given that most mail clients don't automatically verify signatures. Most of us will have to make a judgement call as to whether or not to bother to check the signature.
The higher the degree of "importance" of the content, the more likely I am to check the signature, and the more likely I am to take verification steps if not signed.
If the content is not "important", I won't bother checking the signature.
Why not just upgrade to a modern MUA and not have to worry? OE only supports S/MIME for now, but it does automatically verify every message, including checking that the From: line matches the key. It makes a big stink if the signature doesn't match, but just displays a simple little icon if it's verified correctly. How can you prefer to check messages manually and therefore cause the problems you describe?
Lest anybody confuse my argument, I think PGP signatures are a good thing. I just don't think people need to sign everything they send. And I'm talking about posts to Nanog here, not private communication. In private communication, it's reasonable to sign most everything sent with official business purpose.
Ironically, there's no need to sign intrabusiness email because it's trackable by trusted authorities and therefore implicitly trusted for non-legal matters. It's personal email that needs a trust mechanism.
If the majority of mail clients automatically verified pgp signatures, I would be totally in favor of signing every single email. But the simple fact is that not only do most mail clients not support that, many mail clients can't even display the signed text inline! Surely a compromise is needed for now.
Sure. Use old-style signatures if you're going to sign every message, and we can transition to new-style signatures once most people upgrade. S