On Wed, Jun 11, 2003 at 09:11:21PM -0400, Mike M wrote: > On Wednesday 11 June 2003 16:39, Karsten M. Self wrote: > > If you want your messages authenticated, sign them. > > I just started with GPG and I'm still learning. I need some clarification > on the advice above. Are you saying that by signing all emails, then I can > positively distinguish real undelivered from bogus undelivered because the > bogus ones will not have my digital signature? Real undelivered mail will indeed have your digital signature; it is no longer a "signed message" as such, as it is now a subsection of a message from the remote MTA, but the signature part will be visible when you read the mail (at least it is in mutt and less). For this reason the MUA's handy automatic GPG checking features won't work. I suppose you could write a script to which undelivereds are filtered, that un-mungs the message, GPG-checks it and does something appropriate based on the result. The main point about signing messages is that it allows the receiver of a message to check whether it really is from you or from some spammer who has forged your email address in the From header. Karsten's spiel about this has been on the list a couple of times recently; search the message bodies for "half a secret". The main weakness of the system is in the key security; you can't fully trust a key unless you have actually met the keyholder to get it and checked that you didn't meet an impostor. This is only really significant for spy-novel type situations, though, and doesn't materially weaken it as a defence against spammer-type bulk abuse. -- Pigeon Be kind to pigeons Get my GPG key here: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x21C61F7F
Attachment:
pgpktiTLRgUeD.pgp
Description: PGP signature