header image

Q: Why are you signing your email?
A: I have begun signing my important email because I want people who receive email from me:

  • to know it's really from me (i.e. not just forged to look like it's from me).
  • to know it's exactly what I sent (i.e. the message contents were not changed en route).
  • to be able to send me private, encrypted replies if they want to.
I am signing my email using GnuPG.

Q: Isn't this a little extreme?
A: I don't think so. Here's why:

  • Signing email protects me from forgery. This is important, especially for important emails. There are two predominate sources of forged email these days: viruses and spammers. I want people who get email from me to know that I really sent it (not someone pretending to be me). Forging email is simple and signing email is a defense.
  • When you receive a signed email your email client can be sure that the contents of the email message are identical to what I sent by verifying a hash value (checksum) in the signature. Altering the message in any way invalidates this checksum.
  • When you receive a signed email from me you get a copy of my "public key" and with it the ability to create encrypted messages that only I can decrypt. If you want to tell me something in confidence I suggest you use this capability.
  • Have a look at the Communications Assistance for Law Enforcement Act (CALEA) which says all ISPs must:
    preserve the ability of law enforcement agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities. Common carriers, facilities-based broadband Internet access providers, and providers of interconnected Voice over Internet Protocol (VoIP) service - all three types of entities are defined to be "telecommunications carriers" for purposes of CALEA section 102, 47 U.S.C. 1001 - must comply with the CALEA obligations set forth in CALEA section 103, 47 U.S.C. § 1002.

    ...Then ask yourself whether it's worth your time learning how to encrypt your email. I have nothing to hide from the government but the system for snooping on "bad guys'" communications has been abused in the past far too often to ignore. Frankly, I don't trust the feds to do the right thing anymore.

Q: Why am I getting errors when I try to read email from you?
A: Signing email involves using a certificate to put a digital signature at the bottom of a message. Your email client (Outlook Express, Outlook, Netscape, Mozilla, Eudora, etc...) is probably telling you that you do not implicitly trust the certificate I used to sign my email. Certificates that are implicitly trusted by mail clients are available but cost about $100/year (companies like Verisign sell them). When I sign my personal email I sign with a homemade certificate. This is not implicitly trusted by most email clients.

Despite this fact either certificate is perfectly capable of ensuring message origin and authenticity. Moreover you can use the "public key" of either certificate to create private replies that only I can read. To get rid of the errors you see when you read my signed email you need to tell your email client that you trust my certificates.

Q: How do I trust your certificate?
A: The process is different with different email clients. In Outlook Express it's very simple -- you basically walk throug the "signed email" wizard and then go to the tab that says "Edit Trust".

Q: How can I sign my own email?
A: I use a firefox plugin called FireGPG (which also requires GnuPG and Gmail. To sign or encrypt a message you first need to create a public and private key. Check out the comp.security.pgp FAQ for more information. If you don't use Gmail there is probably some other tool you can use to sign or encrypt your mail; utilities exist for most popular mail readers and platforms.

sign.html was last updated 19 July 2013 and is Copyright (C) 2002-2015 by Scott Gasch (scott.gasch@gmail.com).