On Wed, 10 Jul 2002, Jordyn A. Buchanan wrote:
Your facts are correct, but you're missing one so your conclusion is wrong.
You need to verify the signature in order to be able to rely on it. However, if one usually does not consistently sign their messages, then it becomes entirely plausible that a spoofed message lacks a signature not because the forger does not have the capability to generate the signature, but simply because the sender simply neglected to attach a signature (yet again). In this case, unsigned data is accorded roughly the same level of authenticity as signed data.
Yes, but once again you must consider content, given that most mail clients don't automatically verify signatures. Most of us will have to make a judgement call as to whether or not to bother to check the signature. The higher the degree of "importance" of the content, the more likely I am to check the signature, and the more likely I am to take verification steps if not signed. If the content is not "important", I won't bother checking the signature. Lest anybody confuse my argument, I think PGP signatures are a good thing. I just don't think people need to sign everything they send. And I'm talking about posts to Nanog here, not private communication. In private communication, it's reasonable to sign most everything sent with official business purpose. If the majority of mail clients automatically verified pgp signatures, I would be totally in favor of signing every single email. But the simple fact is that not only do most mail clients not support that, many mail clients can't even display the signed text inline! Surely a compromise is needed for now. Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access