Security Basics mailing list archives
RE: Best for of signature
From: Alejandro Criado-Pérez <alejandro () criadoperez com>
Date: Thu, 13 Feb 2003 01:11:03 +0100
Here I give you my experience and opinion about digital signatures. I used to love PGP specially because it didn't require an attachment but now I changed my mind. I bought the Verisign digital ID, especially because it's perfect compatibility with Outlook. Anybody with Outlook (most of the people I write to) can see the signature without any additional software (not like PGP). This is a very important detail for me. Also it doesn't modify your message. I can send HTML email with international characters and the digital signature won't modify my document. PGP couldn't do this. But there is one big disadvantage with Verisign's digital ID. If I receive an encrypted email, after I open it, I can't save the email as unencrypted (in PGP you can do this). So whenever my digital ID expires and I renew it (which has to be done every year), I won't be able to read the encrypted email unless I kept my old ID. My renewed ID wont be able to open it. So if in a couple of years I need to see an encrypted email they sent me I need my old digital ID or I loose the email forever. I wrote to Verisign and they told me that "that's just the way it works". Also if you sign an email with the Verisign ID and the receiver uses webmail or Lotus Notes, the wont be able to read the email AT ALL!! If you sign it with PGP and they don't have PGP software, they will still always be able to read the email. This gives an extra point to PGP. Does anybody know a good digital ID that everybody can read? I've been having this problem for a while, and I'm still very surprised that there's still no standard for this. I don't mind paying for it as long as it works. Thank you. Alejandro Criado-Pérez alejandro () criadoperez com -----Original Message----- From: Meritt James [mailto:meritt_james () bah com] Sent: miércoles, 12 de febrero de 2003 18:14 To: Chris Berry Cc: security-basics () securityfocus com Subject: Re: Best for of signature Concur. I distrust them to the extent that I never see them. Hence, the vote for inline. Jim Chris Berry wrote:
From: Frank Barton <pauling () starwolf biz> I was wondering what people's feelings are here as to the best way to digitally sign a message. mutt for example creates the digital signature as an attachment, and
then
attaches it, while some people create the signature as part of the text of the message. Which way is best? or most compatable?I personally distrust any attachments I didn't specifically request,
so my
vote would be for inline signatures. Chris Berry compjma () hotmail com Systems Administrator JM Associates "For Sys Admins paranoia isn't a mental health problem, its a
marketable job
skill." _________________________________________________________________ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail
-- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566
Current thread:
- Best for of signature Frank Barton (Feb 10)
- <Possible follow-ups>
- Re: Best for of signature Chris Berry (Feb 10)
- Re: Best for of signature Meritt James (Feb 12)
- RE: Best for of signature Alejandro Criado-Pérez (Feb 13)
- Re: Best for of signature Meritt James (Feb 12)
- RE: Best for of signature Alejandro Criado-Pérez (Feb 14)
- RE: Best for of signature Mike Jensen (Feb 14)