May 28, 2002, 12:00 AM — I annoy a lot of people. Headhunters constantly tell me to re-send my
resume because they couldn't read it; folks using certain versions of
Eudora crash when they try to read my email; outlook users claiming the
icons "don't look right" for my emails or the message requires several
clicks to read at all.
Why? Because I electronically sign each and every email I send with PGP.
No, I'm not sending you a resume my dear persistent headhunters. I'm
sorry that particular version of Eudora can't handle a completely valid
MIME message, but it's not my fault. You're using Outlook? I offer my
Each email I create is automatically digitally signed. This signature,
generated by gpg (the Gnu Privacy Guard), is sent as an attachment,
the presence (and unreadabilty) of which confuses some people the first
time they encounter it. They mistake it for a corrupted file, an
unreadable image, or a virus.
Some folks ask me why I sign everything I write, and the answer is
simple: I need to. I'm in the computer security business, and, as such,
I send a boatload of emails such as directives to users, administrators,
and co-workers. Because of this, messages appearing to be from me have
a good chance of being acted upon. By digitally signing everything, even
stupid jokes I send my sister, I've established a pattern that says, "If
it ain't signed, it ain't me." Those with whom I discuss important
topics can read and verify the PGP signature automatically and know when
the signature is valid. If it's not, then the message is not authentic,
they'll contact me to let me know something is amiss, and won't act on
the information therein.
On several occasions, people have attempted to impersonate me to get
others to perform questionable actions on their systems, and the lack of
a valid PGP signature has prevented them from being carried out. In
other cases, I've had people claim I'd said one thing, providing me (and
higher-management) with copies of my alleged emails. While the email
address and other data are trivial to forge, forging a PGP signature
without my key and passphrase is impossible. Instead of getting me in
trouble, the forger landed in the hot water he'd boiled for me.
I encourage folks to sign everything they write. It provides a
verifiable trail, imposes accountability, and means you'll never be able
to claim that something with a valid sig was forged.