Q: Why are you signing your email?
A: I have begun signing my important email because I want people who receive
email from me:
- to know it's really from me (i.e. not just forged to look like
it's from me).
- to know it's exactly what I sent (i.e. the message contents were
not changed en route).
- to be able to send me private, encrypted replies if they want to.
I am signing my email using GnuPG
Q: Isn't this a little extreme?
A: I don't think so. Here's why:
- Signing email protects me from forgery. This is important,
especially for important emails. There are
two predominate sources of forged email these days: viruses and
spammers. I want people who get email from me to know that I really
sent it (not someone pretending to be me). Forging email is simple and signing email
is a defense.
- When you receive a signed email your email client can be sure that
the contents of the email message are identical to what I sent by
verifying a hash value (checksum) in the signature. Altering the
message in any way invalidates this checksum.
- When you receive a signed email from me you get a copy of my
"public key" and with it the ability to create encrypted messages that
only I can decrypt. If you want to tell me something in confidence I
suggest you use this capability.
- Have a look at the
Communications Assistance for Law Enforcement Act (CALEA) which
says all ISPs must:
preserve the ability of law enforcement agencies to conduct
electronic surveillance by requiring that telecommunications carriers
and manufacturers of telecommunications equipment modify and design
their equipment, facilities, and services to ensure that they have
the necessary surveillance capabilities. Common carriers,
facilities-based broadband Internet access providers, and providers of
interconnected Voice over Internet Protocol (VoIP) service - all three
types of entities are defined to be "telecommunications carriers"
for purposes of CALEA section 102, 47 U.S.C. § 1001 - must comply
with the CALEA obligations set forth in CALEA section 103, 47 U.S.C. Â§ 1002.
...Then ask yourself whether it's worth your time learning how to encrypt
your email. I have nothing to hide
from the government but the system for snooping on "bad guys'" communications
has been abused in the past far too often to ignore. Frankly, I don't
trust the feds to do the right thing anymore.
Q: Why am I getting errors when I try to read email from you?
A: Signing email involves using a certificate to put a digital
signature at the bottom of a message. Your email client (Outlook
Express, Outlook, Netscape, Mozilla, Eudora, etc...) is probably
telling you that you do not implicitly trust the certificate I used to
sign my email. Certificates that are implicitly trusted by mail
clients are available but cost about $100/year (companies like
Verisign sell them). When I sign my personal email I sign with a
homemade certificate. This is not implicitly trusted by most email
Despite this fact either certificate is perfectly capable of ensuring
message origin and authenticity. Moreover you can use the "public
key" of either certificate to create private replies that only I can
read. To get rid of the errors you see when you read my signed email
you need to tell your email client that you trust my certificates.
Q: How do I trust your certificate?
A: The process is different with different email clients. In Outlook
Express it's very simple -- you basically walk throug the "signed email"
wizard and then go to the tab that says "Edit Trust".
Q: How can I sign my own email?
A: I use a
firefox plugin called FireGPG (which also requires GnuPG and Gmail. To sign or encrypt a message you first need to
create a public and private key. Check out the comp.security.pgp FAQ for more information. If you
don't use Gmail there is probably some other tool you can use to sign or
encrypt your mail; utilities exist for most popular mail readers and