Re: [openpgp] On Signed-Only Mails

Thijs van Dijk <schnabbel@inurbanus.nl> Wed, 30 November 2016 09:42 UTC

Return-Path: <schnabbel@inurbanus.nl>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 581B3129EB5 for <openpgp@ietfa.amsl.com>; Wed, 30 Nov 2016 01:42:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.334
X-Spam-Level:
X-Spam-Status: No, score=-1.334 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=inurbanus.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id smIX8R81tf_9 for <openpgp@ietfa.amsl.com>; Wed, 30 Nov 2016 01:42:34 -0800 (PST)
Received: from mail-ua0-x235.google.com (mail-ua0-x235.google.com [IPv6:2607:f8b0:400c:c08::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C112129D6D for <openpgp@ietf.org>; Wed, 30 Nov 2016 01:40:17 -0800 (PST)
Received: by mail-ua0-x235.google.com with SMTP id 51so207311129uai.1 for <openpgp@ietf.org>; Wed, 30 Nov 2016 01:40:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inurbanus.nl; s=google-inurb; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=W7kEiGMuSBHjqz1LOmdSwgIzcbYb0l/WCEFoxoMRtbg=; b=X86B7aahjY+ktdMgX4RO80rujltY5xLA35P5JvkA2jtpdkJvl7znmco+Vqs7blxipo W82oZMJzOh3nLnH5uGCC+oIKKPhxUsLvPdBdM09/uOne27Fqp3UpIwoNyzAvMHpK0CDA 8T0YTfHh3r4fvgAcih5hH1ov8vNuPoMefQ15o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=W7kEiGMuSBHjqz1LOmdSwgIzcbYb0l/WCEFoxoMRtbg=; b=l3zz9GB8Tdo5y0i+p7wLbSTMbXusrgP0hVxnW2t+K+mCcBUlOm+BSTqScS+01XTK6o JYRvjhgS/hHqpsxaDS95FuRAV0C6dj7pXtHj2KaztbrPvF7E9JqqHkOH3rnTjKx0JHyZ iW1YA1mRaeDaIOWOhzyHj7CSEh3gUuVeKKQ2ZuZWfG2AbZdrqfcmlu8+gqpADFGJeVIe 6CxP15uk+75SIGeevpeTCAkQNrod5KTWFwZLnb+v0Qa11KD/ZRk7otBYg8pRrjkH3yRC 9GeOMDwd49SkktByI6+sU3h3a0MxuFTJ5mQA/QqFpKrwkj2XpuQmsqjsZewk7EHE4fZ+ Yvug==
X-Gm-Message-State: AKaTC0321Z47jpTXTRs6r4Fqtp+aGwdsHbLcUzxkLLGhDWVZKSm0jkzavLSkSFwCJEMoN/3vKXF0/633ozeAHg==
X-Received: by 10.176.80.169 with SMTP id c38mr23584856uaa.61.1480498815865; Wed, 30 Nov 2016 01:40:15 -0800 (PST)
MIME-Version: 1.0
Received: by 10.103.21.67 with HTTP; Wed, 30 Nov 2016 01:40:15 -0800 (PST)
In-Reply-To: <bc170d67-3d83-6817-3508-21f904bf7730@giepa.de>
References: <20161129091837.GA25812@littlepip.fritz.box> <bc170d67-3d83-6817-3508-21f904bf7730@giepa.de>
From: Thijs van Dijk <schnabbel@inurbanus.nl>
Date: Wed, 30 Nov 2016 10:40:15 +0100
Message-ID: <CADGaDpGHDvL4xLd5kF=6cCgaPPOWkQb1gHL4D-0aQTP+aLkRsg@mail.gmail.com>
To: Alexander Strobel <Alexander.Strobel@giepa.de>
Content-Type: multipart/alternative; boundary=94eb2c1901f802dffe0542817e6b
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/AtYaunvZrLYonSdSozk5ajrG1hA>
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] On Signed-Only Mails
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2016 09:42:37 -0000

On 30 November 2016 at 10:03, Alexander Strobel <Alexander.Strobel@giepa.de>
wrote:

> Am 29.11.2016 um 10:18 schrieb Vincent Breitmoser:
> > Hi all,
> >
> > (cross-posting on openpgp and messaging mls)
> >
> > during my work on bringing OpenPGP to K-9 Mail, I found myself
> > reevaluating a lot of things. This time it's about signed-only mails.
> >
> > In short, my conclusion so far is that signed-only mails are very rarely
> > useful, they are holding OpenPGP back as a solution for encrypted
> > e-mail, and in the interest of usability we should not roll them out in
> > email crypto solutions on equal terms with encryption.
>
> I don't think signed only emails are useless. In my personaly opinion I
> would love to see all companies sending out signed emails that contain
> invoices.
> If any company would change their email addresses or someone from
> another department sends me an email, I would know that this is
> (presumably) not a phishing attack. [... snip ...]
> Sure, the company had to put the fingerprints of their key(s) on their
> website or tell it on the phone and I would have to check it, but that's
> not a very big problem.
> Maybe I miss something but, in this case signing seems a good idea to me.
>

Yes, conceptually this is a very good case for signing e-mails. In fact,
many companies already do this with more light-weight DKIM signatures. As
an added bonus, users (or UI makers) are saved the hassle of manual key
management because the signing keys are simply available in DNS.

-Thijs van Dijk