Sign Everything, My Friends

by Brian Hatch

May 28, 2002 —

I annoy a lot of people. Headhunters constantly tell me to re-send my
resume because they couldn't read it; folks using certain versions of
Eudora crash when they try to read my email; outlook users claiming the
icons "don't look right" for my emails or the message requires several
clicks to read at all.

Why? Because I electronically sign each and every email I send with PGP.
No, I'm not sending you a resume my dear persistent headhunters. I'm
sorry that particular version of Eudora can't handle a completely valid
MIME message, but it's not my fault. You're using Outlook? I offer my
condolences.

Each email I create is automatically digitally signed. This signature,
generated by gpg (the Gnu Privacy Guard[1]), is sent as an attachment,
the presence (and unreadabilty) of which confuses some people the first
time they encounter it. They mistake it for a corrupted file, an
unreadable image, or a virus.

Some folks ask me why I sign everything I write, and the answer is
simple: I need to. I'm in the computer security business, and, as such,
I send a boatload of emails such as directives to users, administrators,
and co-workers. Because of this, messages appearing to be from me have
a good chance of being acted upon. By digitally signing everything, even
stupid jokes I send my sister, I've established a pattern that says, "If
it ain't signed, it ain't me." Those with whom I discuss important
topics can read and verify the PGP signature automatically and know when
the signature is valid. If it's not, then the message is not authentic,
they'll contact me to let me know something is amiss, and won't act on
the information therein.

On several occasions, people have attempted to impersonate me to get
others to perform questionable actions on their systems, and the lack of
a valid PGP signature has prevented them from being carried out. In
other cases, I've had people claim I'd said one thing, providing me (and
higher-management) with copies of my alleged emails. While the email
address and other data are trivial to forge, forging a PGP signature
without my key and passphrase is impossible. Instead of getting me in
trouble, the forger landed in the hot water he'd boiled for me.

I encourage folks to sign everything they write. It provides a
verifiable trail, imposes accountability, and means you'll never be able
to claim that something with a valid sig was forged. Anyone used to
weaseling out of situations will find this problematic, but those who
are willing to stick by what they write will find that the
authentication aspects are worth being...well, honorable.

Since I hate having an article with no code, let me provide you with the
relevant snippets from my mutt[2] settings:

# Sign everything
set pgp_autosign

# encrypt replies to encrypted messages
set pgp_replyencrypt

# Sign encrypted replies too
set pgp_replysignencrypted

# How long to cache PGP passphrase, in seconds (40 min)
set pgp_timeout=4800

# Weed out extraneous keys
set pgp_ignore_subkeys=yes

# Encode the text part at quoted-printable, for best
# compatibility and verification-ability
set pgp_strict_enc=yes

# Verify signatures on all emails by default
set pgp_verify_sig=yes

# Use MIME, not inline PGP signing. This creates
# a pgp attachment. Traditional signing can break
# certain mailers, and isn't verified correctly in
# others
set pgp_create_traditional=no

# You can set pgp_sign_as, ala
# set pgp_sign_as="0x01234567"
# to set the key you use to sign your emails. However
# I prefer to put this in ~/.gnupg/options, like:
# default-key "Joe Schmoe "
# encrypt-to "Joe Schmoe "
# s.t. it's available to all gpg functions.

A variety of pgp command variables can be set as well that tell mutt how
to look up keys, sign the mails, and all other pgp functions; however,
these variables vary depending on the version of pgp you have and how
it's installed. Luckily, most Linux distributions will include proper
values for these variables for you in /etc/Muttrc and you don't need to
touch them at all.

If you find some addresses that you should not pgp sign your messages
(pagers and other non-pgp-friendly low-bandwidth devices, for example),
then you can add this to your .muttrc as well:

send-hook '~t .' 'set pgp_autosign'
send-hook '~t addr1@example.com' 'unset pgp_autosign'
send-hook '~t addr2@example.net' 'unset pgp_autosign'

The first line forces pgp_autosign to be set by default (to all users
whose email address matches the '.' wildcard, which would be all
messages); however, it immediately unsets pgp_autosign for the two
addresses listed. Thus, mail to all users except those two will be
signed.

Happy signing!

NOTES

[1] GPG is available at http://www.gnupg.org/. It's got full
support for the OpenPGP standard and has the greatest
compatibility with old encrypted/signed files and keyrings.

[2] Mutt, the best email client in the universe, is available at
http://www.mutt.org/. I suggest you use the 1.3 branch.
Technically it's beta, but it's damned stable and has the best
IMAP support if you need it.

ITworld