[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [Enigmail] New user part 2 Robert J. Hansen Fri Apr 06 23:00:36 2012

On 04/07/2012 01:15 AM, Eugene Seidel wrote:
> Should I always sign every e-mail from now on?

This is an excellent question, and there is no clear-cut answer.  I
don't, and for different reasons.

A signature is meaningful if and only if it is (a) correct, (b) comes
from a validated key, (c) belonging to someone you trust.  If any of
those three conditions fail to hold, the signature is meaningless: you
cannot use it to check the integrity of the message.

Very few people have validated my key; of those people, even fewer would
trust me with their car keys.  So since there are *maybe* five people on
this list who would derive any benefit from my signatures, why should I
spam the rest of the list with signatures that are useless to them?

Instead, I sign messages when I know I'm communicating with people for
whom those signatures are meaningful.  If someone has validated my key
and trusts me, then I sign messages to them as a matter of courtesy.

> Why is the "signature block" at the end of a mail message so much 
> shorter for some of you? How can I shrink my own signature block?

The length of a signature block will vary depending on which algorithm
is used (RSA signatures tend to be longer than DSA signatures) and the
length of the key used (RSA-4096 signatures are *honking* *big*).

> I guess the Quick Start guide could be a little more explicit on that
> point.

We'll consider this for the next revision.  :)

> The recipient opens the mail and if they have Enigmail, too, it looks
> up the signature to see if it exists and confirms that it belongs to
> me. Surely it can't be so easy to impersonate me. Where is my
> misunderstanding?

Each message receives a unique signature.  You can't lift a signature
off one message and paste it onto another: the message will fail to
verify.  (Go ahead!  Try it yourself and see.)

> For now, I guess that my Enigmail works only on this Thunderbird and
> on this (desktop) computer. What if I am traveling and using a
> different computer?

Some people have reported excellent results with Portable Thunderbird,
from PortableApps.  This is a full Thunderbird+GnuPG+Enigmail setup that
you can install and run from a flash drive.

(There are, of course, some risks in using crypto software running on a
computer you don't own and/or physically control.)
Enigmail mailing list