OT: Email signing

[Gordon Messmer]

Arthur Pemberton wrote:

>
> Could someone briefly fill me in on the if, why and how of email 
> signing (I do not mean signatures). I am sure I can google the how, 
> but I would like opions and experiences.


OK, I presume that you mean cryptographic signing.  Message signing can 
be done with either SMIME or PGP.  Both accomplish the same thing, and 
operate in virtually the same way.

Why sign?  It's all about trust.  If you reliably sign your messages, 
the people with whom you exchange messages can configure their mail 
client to trust the fingerprint of your certificate (or, they may trust 
someone who signed your certificate).  They can trust that a message 
with your name on it, which has a valid signature, was written by you 
and has not been tampered with.  They should also learn not to trust 
messages that have your name on it, but no signature.

Which method you choose probably will be influenced most by who, 
exactly, you want to be able to verify your signatures.  SMIME uses, in 
large part, the same infrastructure that is already in virtually every 
mail client to support SSL connections.  That's one of the reasons that 
SMIME is supported by nearly every major mail client available, out of 
the box.  PGP does pretty much exactly the same thing, but requires an 
entirely separate infrastructure.  I'm not aware of any major client 
that supports PGP by default; they require plugins, mostly.  That gives 
SMIME a significant advantage if you want to sign messages, and have 
that information be useful to a wide audience.