RE: Best for of signature

From: Alejandro Criado-Pérez (alejandro@criadoperez.com)
Date: 02/13/03

  • Next message: Craig Searle: "RE: Suggestions on free XP hard drive wiping utilities?"
    From: Alejandro Criado-Pérez <alejandro@criadoperez.com>
    To: <Security-basics@securityfocus.com>
    Date: Thu, 13 Feb 2003 01:11:03 +0100
    
    

    Here I give you my experience and opinion about digital signatures.

    I used to love PGP specially because it didn't require an attachment but
    now I changed my mind.
    I bought the Verisign digital ID, especially because it's perfect
    compatibility with Outlook. Anybody with Outlook (most of the people I
    write to) can see the signature without any additional software (not
    like PGP). This is a very important detail for me. Also it doesn't
    modify your message. I can send HTML email with international characters
    and the digital signature won't modify my document. PGP couldn't do
    this.

    But there is one big disadvantage with Verisign's digital ID. If I
    receive an encrypted email, after I open it, I can't save the email as
    unencrypted (in PGP you can do this). So whenever my digital ID expires
    and I renew it (which has to be done every year), I won't be able to
    read the encrypted email unless I kept my old ID. My renewed ID wont be
    able to open it. So if in a couple of years I need to see an encrypted
    email they sent me I need my old digital ID or I loose the email
    forever. I wrote to Verisign and they told me that "that's just the way
    it works".

    Also if you sign an email with the Verisign ID and the receiver uses
    webmail or Lotus Notes, the wont be able to read the email AT ALL!! If
    you sign it with PGP and they don't have PGP software, they will still
    always be able to read the email. This gives an extra point to PGP.

    Does anybody know a good digital ID that everybody can read? I've been
    having this problem for a while, and I'm still very surprised that
    there's still no standard for this.
    I don't mind paying for it as long as it works.

    Thank you.

               Alejandro Criado-Pérez
               alejandro@criadoperez.com

    -----Original Message-----
    From: Meritt James [mailto:meritt_james@bah.com]
    Sent: miércoles, 12 de febrero de 2003 18:14
    To: Chris Berry
    Cc: security-basics@securityfocus.com
    Subject: Re: Best for of signature

    Concur. I distrust them to the extent that I never see them. Hence,
    the vote for inline.

    Jim

    Chris Berry wrote:
    >
    > >From: Frank Barton <pauling@starwolf.biz>
    > >I was wondering what people's feelings are here as to the best way to
    > >digitally sign a message.
    > >mutt for example creates the digital signature as an attachment, and
    then
    > >attaches it, while some people create the
    > >signature as part of the text of the message.
    > >
    > >Which way is best? or most compatable?
    >
    > I personally distrust any attachments I didn't specifically request,
    so my
    > vote would be for inline signatures.
    >
    > Chris Berry
    > compjma@hotmail.com
    > Systems Administrator
    > JM Associates
    >
    > "For Sys Admins paranoia isn't a mental health problem, its a
    marketable job
    > skill."
    >
    > _________________________________________________________________
    > Tired of spam? Get advanced junk mail protection with MSN 8.
    > http://join.msn.com/?page=features/junkmail

    -- 
    James W. Meritt CISSP, CISA
    Booz | Allen | Hamilton
    phone: (410) 684-6566
    


    Relevant Pages

    • Re: The whole Process
      ... S/MIME aware application to fool you :-) ... > has an invalid signature. ... > embedded in email and news clients from Microsoft and Netscape for years. ... Recently Spammers illustrated this perception problem by forging PGP ...
      (microsoft.public.platformsdk.security)
    • Re: [Full-Disclosure] a PGP signed mail? Has to be spam!
      ... For example look at this message - it have a PGP signature that my mail ... PGP is NOT secure AT ALL unless we all start trading keys via a secure ... >> get any mails from me anymore. ...
      (Full-Disclosure)
    • Ugly PGP signatures, was re: C : how to export raw YUV to a file ?
      ... >> PGP could simply add a header that would contain the signature of the ... >> message body, ignoring all other headers, and it would be fine. ... > able to verify the original author's signature. ... still a lot better than downloading a lot of message bodies. ...
      (comp.programming)
    • Re: The whole Process
      ... While most digital signature ... embedded in email and news clients from Microsoft and Netscape for years. ... Mail supports S/MIME digitally signed or encrypted messages. ... Recently Spammers illustrated this perception problem by forging PGP ...
      (microsoft.public.platformsdk.security)
    • Re: [Full-Disclosure] PGP vs. certificate from Verisign
      ... What I wonder - will Verisign have set up CRL servers yet? ... PGP vs. certificate from Verisign ...
      (Full-Disclosure)