Re: [openpgp] On Signed-Only Mails

Alexander Strobel <Alexander.Strobel@giepa.de> Wed, 30 November 2016 09:03 UTC

Return-Path: <Alexander.Strobel@giepa.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6F2212961A for <openpgp@ietfa.amsl.com>; Wed, 30 Nov 2016 01:03:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cV1wjWh6EPxR for <openpgp@ietfa.amsl.com>; Wed, 30 Nov 2016 01:03:20 -0800 (PST)
Received: from giepa-cn-bar.giepa.net (giepa-cn-mail.giepa.net [193.110.207.71]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05EBC12960A for <openpgp@ietf.org>; Wed, 30 Nov 2016 01:03:18 -0800 (PST)
X-ASG-Debug-ID: 1480496596-061b9a0ebb706b90001-H8Anin
Received: from DVWIGUPEX2013.intern.giepa.de (8204110193.giepa.de [193.110.204.8]) by giepa-cn-bar.giepa.net with ESMTP id YtZgtiLZwQydZ9uC (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO) for <openpgp@ietf.org>; Wed, 30 Nov 2016 10:03:16 +0100 (CET)
X-Barracuda-Envelope-From: Alexander.Strobel@giepa.de
X-Barracuda-Effective-Source-IP: 8204110193.giepa.de[193.110.204.8]
X-Barracuda-Apparent-Source-IP: 193.110.204.8
Received: from [172.30.129.7] (172.30.129.7) by DVWIGUPEX2013.intern.giepa.de (172.30.128.107) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 30 Nov 2016 10:03:14 +0100
To: <openpgp@ietf.org>
X-ASG-Orig-Subj: Re: [openpgp] On Signed-Only Mails
References: <20161129091837.GA25812@littlepip.fritz.box>
From: Alexander Strobel <Alexander.Strobel@giepa.de>
Openpgp: id=095BD69C7AC365895AC57EA9874D04CCA111C47B
Message-ID: <bc170d67-3d83-6817-3508-21f904bf7730@giepa.de>
Date: Wed, 30 Nov 2016 10:03:13 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.0
MIME-Version: 1.0
In-Reply-To: <20161129091837.GA25812@littlepip.fritz.box>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.30.129.7]
X-ClientProxiedBy: DVWIGUPEX2013.intern.giepa.de (172.30.128.107) To DVWIGUPEX2013.intern.giepa.de (172.30.128.107)
X-Barracuda-Connect: 8204110193.giepa.de[193.110.204.8]
X-Barracuda-Start-Time: 1480496596
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA
X-Barracuda-URL: https://193.110.207.71:443/cgi-mod/mark.cgi
X-Barracuda-Scan-Msg-Size: 1405
X-Virus-Scanned: by bsmtpd at giepa.net
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=1000.0 tests=
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.34831 Rule breakdown below pts rule name description ---- ---------------------- --------------------------------------------------
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Od6gvoUz3OAa1SVf7I8rdTyLBpg>
Subject: Re: [openpgp] On Signed-Only Mails
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2016 09:03:21 -0000

Am 29.11.2016 um 10:18 schrieb Vincent Breitmoser:
> Hi all,
> 
> (cross-posting on openpgp and messaging mls)
> 
> during my work on bringing OpenPGP to K-9 Mail, I found myself
> reevaluating a lot of things. This time it's about signed-only mails.
> 
> In short, my conclusion so far is that signed-only mails are very rarely
> useful, they are holding OpenPGP back as a solution for encrypted
> e-mail, and in the interest of usability we should not roll them out in
> email crypto solutions on equal terms with encryption.

I don't think signed only emails are useless. In my personaly opinion I
would love to see all companies sending out signed emails that contain
invoices.
If any company would change their email addresses or someone from
another department sends me an email, I would know that this is
(presumably) not a phishing attack. (At least was sent from someone
within this company which gives me some more trust in the reliability of
its contents.) At the moment I receive an email with a sender address
that might or might not belong to the company. How can I know?
Sure, the company had to put the fingerprints of their key(s) on their
website or tell it on the phone and I would have to check it, but that's
not a very big problem.
Maybe I miss something but, in this case signing seems a good idea to me.


Best regards
 Alex Strobel
 www.gpg4o.com