Home page logo

basics logo Security Basics mailing list archives

RE: Best for of signature
From: Alejandro Criado-Pérez <alejandro () criadoperez com>
Date: Thu, 13 Feb 2003 01:11:03 +0100

Here I give you my experience and opinion about digital signatures.

I used to love PGP specially because it didn't require an attachment but
now I changed my mind. 
I bought the Verisign digital ID, especially because it's perfect
compatibility with Outlook. Anybody with Outlook (most of the people I
write to) can see the signature without any additional software (not
like PGP). This is a very important detail for me. Also it doesn't
modify your message. I can send HTML email with international characters
and the digital signature won't modify my document. PGP couldn't do

But there is one big disadvantage with Verisign's digital ID.  If I
receive an encrypted email, after I open it, I can't save the email as
unencrypted (in PGP you can do this). So whenever my digital ID expires
and I renew it (which has to be done every year), I won't be able to
read the encrypted email unless I kept my old ID. My renewed ID wont be
able to open it. So if in a couple of years I need to see an encrypted
email they sent me I need my old digital ID or I loose the email
forever. I wrote to Verisign and they told me that "that's just the way
it works".

Also if you sign an email with the Verisign ID and the receiver uses
webmail or Lotus Notes, the wont be able to read the email AT ALL!! If
you sign it with PGP and they don't have PGP software, they will still
always be able to read the email. This gives an extra point to PGP.

Does anybody know a good digital ID that everybody can read? I've been
having this problem for a while, and I'm still very surprised that
there's still no standard for this.
I don't mind paying for it as long as it works.

Thank you.

           Alejandro Criado-Pérez
           alejandro () criadoperez com

-----Original Message-----
From: Meritt James [mailto:meritt_james () bah com] 
Sent: miércoles, 12 de febrero de 2003 18:14
To: Chris Berry
Cc: security-basics () securityfocus com
Subject: Re: Best for of signature

Concur.  I distrust them to the extent that I never see them.  Hence,
the vote for inline.  


Chris Berry wrote:

From: Frank Barton <pauling () starwolf biz>
I was wondering what people's feelings are here as to the best way to
digitally sign a message.
mutt for example creates the digital signature as an attachment, and
attaches it, while some people create the
signature as part of the text of the message.

Which way is best? or most compatable?

I personally distrust any attachments I didn't specifically request,
so my
vote would be for inline signatures.

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"For Sys Admins paranoia isn't a mental health problem, its a
marketable job

Tired of spam? Get advanced junk mail protection with MSN 8.

James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]