Encryption: A question on Digital Signatures

[Red_Dwarf]

I want to use encrypted email in Thunderbird and I am attempting to set it up but I have ran into something which I need an answer. I have read guides on doing this but they fail to answer my question.

This is regarding a Digital Signature. In the email Account settings on the End-to-End Encryption tab "Add my Digital Signature by default" is ticked and in the Advanced Settings just beneath that It has an option "Attach my public key when adding an OpenPGP digital signature".

The question I have is it necessary to attach my public key if the person that I will be emailing has already been sent my public key? It adds quite a lot to the message size which is why I would prefer not to do it if it is unnecessary. What are the downsides of leaving that option unticked?

I hope someone can answer this for me.

[tanstaafl]

https://support.mozilla.org/en-US/kb/di ... g-messages doesn't explain the tradeoffs.

I suspect there are two tradeoffs.

1) If the public key isn't in the message it can be annoying for the recipient to figure out how to tell their software where to get the public key, in order to validate the signature. If its on a public key server they have to figure out which one. You normally don't know what software the recipient will use.

2) Public key servers are insecure. You can eliminate some potential risks/bugs by getting the keys directly and securely from who you are corresponding with.

https://security.stackexchange.com/ques ... key-server

https://thunderbird.topicbox.com/groups ... 075e420183


I suggest you ask in https://thunderbird.topicbox.com/groups/e2ee if this doesn't help.

[Red_Dwarf]

Thanks for the information.......I have not used a Public key server because I don't like relying on anything in public whatever it is so I intend to email my Public key to the recipient. Then verify the fingerprint by phone.

Wouldn't the recipient import my public key into Thunderbird so it would be available in TB to check a signature? Or is the Digital Signature different to my Public key? On this last bit I need clarification because there are lots of terms and it is not very clear where they apply and to what.

[tanstaafl]

"A digital signature is a mathematical process that assures the following:

Sender verification: the sender is indeed who he/she claims to be
Integrity: The message has not been altered during transit
Non-repudiation: the sender cannot deny having sent the message"

A digital signature is your message, encrypted using your private key. Only the public key is needed to verify it. Verifying the public key by getting a fingerprint (a short sequence of bytes used to identify a longer public key) over the phone should work.

https://blog.mailfence.com/openpgp-digi ... practices/

"Wouldn't the recipient import my public key into Thunderbird so it would be available in TB to check a signature. "

You need to find out what email client they are using (and what version if its Thunderbird). They might even use webmail. Your use case has shifted from posting a digitally signed message to some mailing lists (what I thought you were doing) to exchanging digitally signed mail with one person. In the latter case it makes sense not to include a copy of the public key every time if you know they can import it from another message and reuse it.

[Red_Dwarf]

I don't think that the person uses IMAP webmail, they use an UK ISP email account called virginmedia a blueyonder rebrand. The TB source from unencrypted emails that I have received before now shows smtp and mentions both virginmedia.net and blueyonder.co.uk.

No this has nothing to do with mailing list, it is emails between two people that I want to make sure are secure, I use outlook webmail and the other person, my brother, uses an ISP email account.

" In the latter case it makes sense not to include a copy of the public key every time if you know they can import it from another message and reuse it."

Thanks, that answers what I needed to know. Thanks for helping me out, it's appreciated.