Re: [tlug] Re: Draft: Quickie Guide to GPG

[Jonathan Q <jq@example.com>]

On Mon, Sep 02, 2002 at 03:39:31PM +0200, Tobias Diedrich wrote:

>Personally I don't like sending signed mails to mailing lists.

I think it depends on the list.  On technical lists, you see
a lot more people doing it.  On lists populated by people
who wouldn't know a digital signature if it fell from the
sky and hit them, they'll probably think it's some virus or
something (that exact thing was related to me by another TLUGger).

I GPG-sign (almost) all of my mail, not because I think a forgery
is particularly likely, but partly because one is not impossible
either, someday, somewhere.  If it does ever happen, I can then
say "Apart from the header information which shows it didn't
come from any computer which I frequent (unless of course someone
did have physical access to such a machine), I digitally sign
my mail; you'll notice it is not signed."  Granted, proving you
didn't write something because it is not signed is a lot harder than
proving you did write something that is signed, but it's still a point
of evidence.

Another reason I do it is to set a good example and raise 
awareness of the issues of signing and encryption, and why these
things are becoming more and more important in the face of
identity theft.

And finally, if identity theft or just a plain mail forgery ever
does happen to me, if people are very used to seeing both 
signed mail from me and my GPG key in my .sig and someday
something looks odd and it isn't signed by me, that's a lot more
likely to raise the recipient(s)'s suspicions, even if the recipient
does not use GPG her/himself.

>a) Means more traffic for the server

This isn't much of an issue in most places, if anywhere.  I
know a K62-400 machine that was serving over 100 lists the
last time I checked and was getting no workout at all.
The tiny bit of overhead a signature adds is negligible, even on
a large list.  And certainly, the TLUG server has plenty of
power to spare.

>b) Makes mail reading slower (mutt has to invoke gpg to check

This is such a minor slowdown that I don't even notice it.  The
thing that takes longest is just typing in my passphrase periodically.


Of course, no one *has* to use encryption or signing, and if you
don't feel like it on lists, that's fine.  But I do encourage 
people to at least have GPG installed and working on their systems,
and to use it often enough that they don't forget how and can
remember their passphrase.  Even if you rarely need it, it's good
to have around when you do.  I only recently started using it
myself, because I did need to exchange some confidential information
by email, so I set up GPG and made my dad do the same.  That's how
my GPG guide came to be in the first place :-)

Jonathan
GPG key: DF12B4EF (5399 C834 3ABB C3AF 610C  5345 D5D6 E6EA DF12 B4EF)
gpg --keyserver pgp.mit.edu --recv-keys  DF12B4EF

Attachment: pgp00006.pgp
Description: PGP signature