[Enigmail] Expect signature header proposal

Eitan Adler eitanadlerlist at gmail.com
Wed Oct 8 06:04:35 PDT 2008 

Patrick Brunschwig wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Eitan Adler wrote:
> [...]
>> The fundamental difference between my scenario and yours is that the
>> state of "always signing" is not with the sender but with recipient. The
>> recipient always gets signed messages regardless of whether not the
>> sender always signs all messages.
I should clarify: "the state of 'aways signing'" means the expectation 
that the other person will sign all his messages. The above should read:

 >> The fundamental difference between my scenario and yours is that the 
expectation that the sender will sign all his messages is not with the 
sender but with recipient. The recipient expects to always gets signed 
messages regardless of whether not the sender always signs all messages 
to anyone else.

> 
> Well ... the problem with this is that it won't work. How would you want
> to enforce such a rule? I am the developer of Enigmail. What could you
> do if I would decide not to follow such a standard because I don't like
> it? And then, assume I would implement the standard. How could you
> ensure that nobody would download the source code, modify that part that
> follows the standard and use that version of Enigmail? How could you
> prove that the absence of a signature means anything?
Note the above clarification - I think it answers these questions.
> 
> It's a fact that the absence of a signature or the presence of a bad
> signature simply don't prove anything. There is no information that you
> could derive from it.
This system is not designed to PROVE that someone didn't sign a message 
but rather to ALERT you when it is likely that someone didn't sent a 
message.  That way you can verify with the person using some other more 
secure way (e.g. signed message or phone) to verify whether or not he 
sent the message.

> 
> - -Patrick
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQEVAwUBSOxB3ncOpHodsOiwAQJxeAf/fV+zYu6bJLlFmKYg1PTo3nK66keoakTr
> DeEmIpGBSOZUH37vTlMZ9mwK3vcQ5EwcY7PO+natp6ws2uCNjD429//ONtvf7BuW
> J5njVF011HHqrdfJollTwTmj24lYqEaaM8LUN7owqsuyTAhoAm7xiqc5jGY8bTjL
> g2uIKwwmtYRwnn6ycngOcAHFq6Hxb8JEOAsJPygywDlvjrxRsjbHInG4ZWU3vMMn
> bHkq/mnK9aO/IwUxkH6zZAEBCK5RJMcfYq/7EfHHZrm4iBSQ23PESAydBVrbCKqt
> hUPSx0MxwsbxD/Z34QoGUS2iIwv4Yc+F+LlX2xBtUdxbPVLQeUP+Gg==
> =etPh
> -----END PGP SIGNATURE-----

More information about the Enigmail mailing list