RE: Best for of signature

[Alejandro Criado-Pérez <alejandro () criadoperez com>]

Here I give you my experience and opinion about digital signatures.

I used to love PGP specially because it didn't require an attachment but
now I changed my mind. 
I bought the Verisign digital ID, especially because it's perfect
compatibility with Outlook. Anybody with Outlook (most of the people I
write to) can see the signature without any additional software (not
like PGP). This is a very important detail for me. Also it doesn't
modify your message. I can send HTML email with international characters
and the digital signature won't modify my document. PGP couldn't do
this.

But there is one big disadvantage with Verisign's digital ID.  If I
receive an encrypted email, after I open it, I can't save the email as
unencrypted (in PGP you can do this). So whenever my digital ID expires
and I renew it (which has to be done every year), I won't be able to
read the encrypted email unless I kept my old ID. My renewed ID wont be
able to open it. So if in a couple of years I need to see an encrypted
email they sent me I need my old digital ID or I loose the email
forever. I wrote to Verisign and they told me that "that's just the way
it works".

Also if you sign an email with the Verisign ID and the receiver uses
webmail or Lotus Notes, the wont be able to read the email AT ALL!! If
you sign it with PGP and they don't have PGP software, they will still
always be able to read the email. This gives an extra point to PGP.

Does anybody know a good digital ID that everybody can read? I've been
having this problem for a while, and I'm still very surprised that
there's still no standard for this.
I don't mind paying for it as long as it works.

Thank you.


           Alejandro Criado-Pérez
           alejandro () criadoperez com


-----Original Message-----
From: Meritt James [mailto:meritt_james () bah com] 
Sent: miércoles, 12 de febrero de 2003 18:14
To: Chris Berry
Cc: security-basics () securityfocus com
Subject: Re: Best for of signature

Concur.  I distrust them to the extent that I never see them.  Hence,
the vote for inline.  

Jim

Chris Berry wrote:
> > From: Frank Barton <pauling () starwolf biz>
> > I was wondering what people's feelings are here as to the best way to
> > digitally sign a message.
> > mutt for example creates the digital signature as an attachment, and
then
> > attaches it, while some people create the
> > signature as part of the text of the message.
> >
> > Which way is best? or most compatable?
>
> I personally distrust any attachments I didn't specifically request,
so my
> vote would be for inline signatures.
>
> Chris Berry
> compjma () hotmail com
> Systems Administrator
> JM Associates
>
> "For Sys Admins paranoia isn't a mental health problem, its a
marketable job
> skill."
>
> _________________________________________________________________
> Tired of spam? Get advanced junk mail protection with MSN 8.
> http://join.msn.com/?page=features/junkmail

-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566