GPG signatures

[Michael Schwendt]

On Tue, 30 Dec 2003 14:27:57 -0500, Sean Estabrooks wrote:

> Is there anybody left who doesn't understand that email can be spoofed?  

Are you serious? Many, many people look only at the from address and are
quite shocked/surprised when you mail them a message using their name and
address.

> If there is, do these people understand that they should look for and
> validate a signature? 

If they use software which supports PGP/GPG or S/MIME, at least they can
see that some messages are signed while others are not, and they are free
to verify signatures when necessary. I don't make assumptions on whether
software offers to download a key or whether users care enough to become
familiar with GPG signatures. I leave it to the recipient on whether he
opens an unsigned message "From: Michael Schwendt <...>" because he knows
my name from many signed postings on public mailing-lists.

> Does this _really_ help you explain that the
> message didn't come from you?

Yes. It has helped in several cases where I have had problems getting
someone to not ignore the information in the headers. It triggered an
"Aha! I realize this message was different from your usual ones. Sorry!"
effect and caused a few people to become aware of details.

> Do you have to explain it less often?  

On @redhat.com lists I've switched to auto-signing my posts after several
of us subscribers had received fake messages with recycled message bodies.
Since then I haven't received any complaints about junk/spam coming from
my address. It might be coincidence. I don't care. A GPG signature doesn't
occupy as much space as some people's huge message footers.

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20031230/1ac2e09d/attachment-0001.sig>