Re: Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT

[Brad Knowles <brad.knowles () skynet be>]

At 3:15 PM -0400 2002/07/10, Andy Dills wrote:

>  If people judge authenticity based on the simple fact that a message is
>  signed, that's just as useless. Why wouldn't the spoofed email be signed
>  with somebody else's key, to make it past all those people who merely
>  check to see if it's signed?
>
>  The _only_ way to verify authenticity is to check the signature.

	True enough.  But you do significantly raise the bar.  It's like 
putting a deadbolt lock on your front door -- maybe it's locked, and 
maybe it's not.  But it's very presence will tend to deter a certain 
percentage of attackers.

	However, even if the door is locked, we all know that a 
sufficiently motivated attacker can get past *ANY* lock.  If they 
can't break the lock itself, they break the door.  If they can't 
break the door, they break a window.  If they can't break a window, 
then they break a wall.

	But it is a pretty good deterrent for people who just walk around 
twiddling knobs.

>  Therefore, you should only sign emails that contain information important
>  enough that verification is necessary, otherwise nobody will check.

	Nope.  The only way to make this work is to sign all messages, 
and all messages that are not signed are automatically suspect. 
Indeed, even signed messages are at least somewhat suspect, and 
should always have the signature validated -- modern 
encryption/keyring management programs should make this fairly easy 
to make automatically happen by default.

--
Brad Knowles, <brad.knowles () skynet be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
    -Benjamin Franklin, Historical Review of Pennsylvania.