Re: [openpgp] On Signed-Only Mails

"brian m. carlson" <sandals@crustytoothpaste.net> Wed, 30 November 2016 03:04 UTC

Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B274128DF6 for <openpgp@ietfa.amsl.com>; Tue, 29 Nov 2016 19:04:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.498
X-Spam-Level:
X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ADxyr2diZa4E for <openpgp@ietfa.amsl.com>; Tue, 29 Nov 2016 19:04:16 -0800 (PST)
Received: from castro.crustytoothpaste.net (castro.crustytoothpaste.net [75.10.60.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6649129CC0 for <openpgp@ietf.org>; Tue, 29 Nov 2016 19:03:38 -0800 (PST)
Received: from genre.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:254c:7dd1:74c7:cde0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by castro.crustytoothpaste.net (Postfix) with ESMTPSA id 73E49282B7 for <openpgp@ietf.org>; Wed, 30 Nov 2016 03:03:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=crustytoothpaste.net; s=default; t=1480475017; bh=Dkyz/+EryhLxjNi4qkVrfh+fejstoezX24nc2Uf5VHU=; h=Date:From:To:Subject:References:In-Reply-To:From; b=Kf0cYBh/ZuSqsouuoCdrXIOV0CcwxbXSNz45LMa5pl/Ctv+Y6kOm1d6rDRJuqtPla 0RpYEAzh9n2/y3L7yufAnFX0F43Y6OvYlBh6kM+ulWsadcNL8csYP0kdH46CFI2zvo bwtWeBag6bkqkuxVqLuB/mUrKkgAxldB5snofrEz59PRRLtkmmFZm7Hn0Wdaq/KV2z vJHH9Tl+ymApLh81w7IL6RfnwUZo1TfSeLSGPuclJZif8qIwJtuzLIbzRpDnDCbKhC iB6bp73PEnMDls/h2nU/gs7QwI7QfIugE9prC4gtfUt2HbYAsCfM0jMvnB/2+YrhjH JWABv8yuQ5eCEKBqaO+jYJHCrOEkzeoZiTU1BeCyMCgZuf81IK38ukzhGx/XmeoL5Z S7+RUZBs4Cnrr39KD2HZasuJIdWMC1ORZbePomOe5W6/LeQLo/7nehKDxSAFOymUZA p+PobBL1XNhkL45xdggyBFmLLyXutaKS2mvO8VzU52sG9AykOB1
Date: Wed, 30 Nov 2016 03:03:33 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Message-ID: <20161130030333.72yj7jrva7gbp432@genre.crustytoothpaste.net>
References: <20161129091837.GA25812@littlepip.fritz.box>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="z7355oubydrcavoh"
Content-Disposition: inline
In-Reply-To: <20161129091837.GA25812@littlepip.fritz.box>
X-Machine: Running on genre using GNU/Linux on x86_64 (Linux kernel 4.7.0-1-amd64)
User-Agent: NeoMutt/20161104 (1.7.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/WYovPO3nOvgufeKCTX6SqWPnP70>
Subject: Re: [openpgp] On Signed-Only Mails
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2016 03:04:18 -0000

On Tue, Nov 29, 2016 at 10:18:37AM +0100, Vincent Breitmoser wrote:
> Hi all,
> 
> (cross-posting on openpgp and messaging mls)
> 
> during my work on bringing OpenPGP to K-9 Mail, I found myself
> reevaluating a lot of things. This time it's about signed-only mails.
> 
> In short, my conclusion so far is that signed-only mails are very rarely
> useful, they are holding OpenPGP back as a solution for encrypted
> e-mail, and in the interest of usability we should not roll them out in
> email crypto solutions on equal terms with encryption.
> 
> In some more detail:
> https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html
> 
> I received positive as well as negative feedback about this, and I'd
> love to hear more thoughts about it.

I work for a company where all mail needs to be signed.  If someone
wants me to install an SSH public key on a server, I need to be certain
that the person is who they say they are.  Furthermore, if one of the
system administrators sends an announcement email to the all-users list,
encrypting it to all possible employees at the company is not practical.
Signing it is still useful, especially if it includes something like a
Wi-Fi configuration file that people might use on their systems.

I use K-9 Mail for personal and work purposes, and I rely immensely on
the ability to send signed-only emails, often to mailing lists.  I think
that's an extremely common and important use case that we shouldn't
forget about.  Integrity is important even in cases where
confidentiality is not.
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204