Re: [openpgp] On Signed-Only Mails

"brian m. carlson" <> Wed, 30 November 2016 03:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2B274128DF6 for <>; Tue, 29 Nov 2016 19:04:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.498
X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (3072-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ADxyr2diZa4E for <>; Tue, 29 Nov 2016 19:04:16 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A6649129CC0 for <>; Tue, 29 Nov 2016 19:03:38 -0800 (PST)
Received: from (unknown [IPv6:2001:470:b978:101:254c:7dd1:74c7:cde0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 73E49282B7 for <>; Wed, 30 Nov 2016 03:03:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=default; t=1480475017; bh=Dkyz/+EryhLxjNi4qkVrfh+fejstoezX24nc2Uf5VHU=; h=Date:From:To:Subject:References:In-Reply-To:From; b=Kf0cYBh/ZuSqsouuoCdrXIOV0CcwxbXSNz45LMa5pl/Ctv+Y6kOm1d6rDRJuqtPla 0RpYEAzh9n2/y3L7yufAnFX0F43Y6OvYlBh6kM+ulWsadcNL8csYP0kdH46CFI2zvo bwtWeBag6bkqkuxVqLuB/mUrKkgAxldB5snofrEz59PRRLtkmmFZm7Hn0Wdaq/KV2z vJHH9Tl+ymApLh81w7IL6RfnwUZo1TfSeLSGPuclJZif8qIwJtuzLIbzRpDnDCbKhC iB6bp73PEnMDls/h2nU/gs7QwI7QfIugE9prC4gtfUt2HbYAsCfM0jMvnB/2+YrhjH JWABv8yuQ5eCEKBqaO+jYJHCrOEkzeoZiTU1BeCyMCgZuf81IK38ukzhGx/XmeoL5Z S7+RUZBs4Cnrr39KD2HZasuJIdWMC1ORZbePomOe5W6/LeQLo/7nehKDxSAFOymUZA p+PobBL1XNhkL45xdggyBFmLLyXutaKS2mvO8VzU52sG9AykOB1
Date: Wed, 30 Nov 2016 03:03:33 +0000
From: "brian m. carlson" <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="z7355oubydrcavoh"
Content-Disposition: inline
In-Reply-To: <>
X-Machine: Running on genre using GNU/Linux on x86_64 (Linux kernel 4.7.0-1-amd64)
User-Agent: NeoMutt/20161104 (1.7.1)
Archived-At: <>
Subject: Re: [openpgp] On Signed-Only Mails
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Nov 2016 03:04:18 -0000

On Tue, Nov 29, 2016 at 10:18:37AM +0100, Vincent Breitmoser wrote:
> Hi all,
> (cross-posting on openpgp and messaging mls)
> during my work on bringing OpenPGP to K-9 Mail, I found myself
> reevaluating a lot of things. This time it's about signed-only mails.
> In short, my conclusion so far is that signed-only mails are very rarely
> useful, they are holding OpenPGP back as a solution for encrypted
> e-mail, and in the interest of usability we should not roll them out in
> email crypto solutions on equal terms with encryption.
> In some more detail:
> I received positive as well as negative feedback about this, and I'd
> love to hear more thoughts about it.

I work for a company where all mail needs to be signed.  If someone
wants me to install an SSH public key on a server, I need to be certain
that the person is who they say they are.  Furthermore, if one of the
system administrators sends an announcement email to the all-users list,
encrypting it to all possible employees at the company is not practical.
Signing it is still useful, especially if it includes something like a
Wi-Fi configuration file that people might use on their systems.

I use K-9 Mail for personal and work purposes, and I rely immensely on
the ability to send signed-only emails, often to mailing lists.  I think
that's an extremely common and important use case that we shouldn't
forget about.  Integrity is important even in cases where
confidentiality is not.
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | | My opinion only