Why should you sign your emails?

Signing emails?

"But "electronic stuff" is never signed, from the computer-printed telephone bill to emails I receive from my friends! It is not on paper, how can it be signed?"

It can. Emails can use electronic signatures, which look like random letters and numbers to us, but can be read by special programs like PGP∞. The main problem here is to assure that the text you signed stays the same after you signed it. On paper, after you sign it (and if you take care to cross out big empty spaces), it is difficult to modify or add words without anybody noticing afterwards. An email, on the other hand, can quite easily be changed at any time by a suprising number of people on the way.

So what PGP∞ does is to use a short digest of your text (a so-called "Hash", which is a fancy sort of cross sum) and uses this combined with your PGP∞ Private key to generate the actual PGP∞ signature. The trick is that only you can generate this signature, but everyone using PGP∞ can check the correctness of the email.

But why should I sign emails?

"People know that emails are from me, because it shows my email address as the sender!"

No, they do not. It is so easy to forge the sender of an email, that anybody technically inclined can learn this in under one minute. Emails are like postcards: You have to put the right address so that they arrive, but you can put whatever you like as the sender and with emails you cannot recognise the handwriting.

So if a friend gets an email from you it could really be from you or from a spammer using your name, the latest virus on another friend's computer or even from some malicious neighbour, prankster colleague or ex-friend. Unfortunately spam and viruses are on the rise and it is very improbable that maliciousness and pranksters will die out soon. In an online world full of wicked intentions, the recipient of your emails should act on the assumption that if it is not signed by you, the email probably is not from you.

With a signed email, on the other hand, your friend can check if it is really from you and if this is actually the text you have written. The PGP∞ signature also contains the sender, and point in time when the message was signed. So, if somebody tries to use a real signed email from you for something else, with a PGP∞ signature the recipient will see that you did not send "I am not interested" to your love today, but to your insurance agent 3 weeks before.

Always signing emails protects both you and the people you send them to. You know that your words will arrive as you wrote them. They know they can rely on your signature and will quickly recognise malicious mails purported to come from you, because they are not signed.

It doesn't cost you anything to sign your emails - and you sign your postcards too, don't you?

Taken from: Ciphire, "Why should you sign your emails"∞. Adapted to PGP∞, since the idea and functionality is essentially the same.
See also: GNU Privacy Guard∞, PGP Corporation∞

CategoryLegal, CategoryTechnology