Re: [openpgp] On Signed-Only Mails

Alexander Strobel <> Wed, 30 November 2016 09:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A6F2212961A for <>; Wed, 30 Nov 2016 01:03:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cV1wjWh6EPxR for <>; Wed, 30 Nov 2016 01:03:20 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 05EBC12960A for <>; Wed, 30 Nov 2016 01:03:18 -0800 (PST)
X-ASG-Debug-ID: 1480496596-061b9a0ebb706b90001-H8Anin
Received: from ( []) by with ESMTP id YtZgtiLZwQydZ9uC (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO) for <>; Wed, 30 Nov 2016 10:03:16 +0100 (CET)
Received: from [] ( by ( with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 30 Nov 2016 10:03:14 +0100
X-ASG-Orig-Subj: Re: [openpgp] On Signed-Only Mails
References: <>
From: Alexander Strobel <>
Openpgp: id=095BD69C7AC365895AC57EA9874D04CCA111C47B
Message-ID: <>
Date: Wed, 30 Nov 2016 10:03:13 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Originating-IP: []
X-ClientProxiedBy: ( To (
X-Barracuda-Start-Time: 1480496596
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA
X-Barracuda-Scan-Msg-Size: 1405
X-Virus-Scanned: by bsmtpd at
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=1000.0 tests=
X-Barracuda-Spam-Report: Code version 3.2, rules version Rule breakdown below pts rule name description ---- ---------------------- --------------------------------------------------
Archived-At: <>
Subject: Re: [openpgp] On Signed-Only Mails
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Nov 2016 09:03:21 -0000

Am 29.11.2016 um 10:18 schrieb Vincent Breitmoser:
> Hi all,
> (cross-posting on openpgp and messaging mls)
> during my work on bringing OpenPGP to K-9 Mail, I found myself
> reevaluating a lot of things. This time it's about signed-only mails.
> In short, my conclusion so far is that signed-only mails are very rarely
> useful, they are holding OpenPGP back as a solution for encrypted
> e-mail, and in the interest of usability we should not roll them out in
> email crypto solutions on equal terms with encryption.

I don't think signed only emails are useless. In my personaly opinion I
would love to see all companies sending out signed emails that contain
If any company would change their email addresses or someone from
another department sends me an email, I would know that this is
(presumably) not a phishing attack. (At least was sent from someone
within this company which gives me some more trust in the reliability of
its contents.) At the moment I receive an email with a sender address
that might or might not belong to the company. How can I know?
Sure, the company had to put the fingerprints of their key(s) on their
website or tell it on the phone and I would have to check it, but that's
not a very big problem.
Maybe I miss something but, in this case signing seems a good idea to me.

Best regards
 Alex Strobel