> The signature is related to the "from" address. But it is, essentially, not about that except for on the very technical level. Regarding encrypted emails, NOT signing is giving up security: yes the message can't be seen while traveling over the network, but the recipient is put in a vulnerable situation and can easily be tricked by a powerful adversary. It's not about p"roving it's you", in the way normal users would think about it. (If the text *looks* like it's written by their mom, of course it was their mom who sent it, right?!). Since reasons for signing can't be understood easily, I think the signing should always be on and only hide away the advanced option to disable it. > The at-risks users that I interviewed in August didn’t care or didn’t even know about the cryptographic signature of OpenPGP That is indeed a very serious problem regarding incoming as well. Bug 1731984. I don't think education can help users in general: it's way too complex to explain so that the average person would care about those details... It's on the software to do reasonable defaults and reasonable display for each case. I think we should close this bug wontfix, or even change the current setup to display an insecure encryption icon if you do not sign.
Bug 1630395 Comment 2 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
> The signature is related to the "from" address. But it is, essentially, not about that except for on the very technical level. Regarding encrypted emails, NOT signing is giving up security: yes the message can't be seen while traveling over the network, but the recipient is put in a vulnerable situation and can easily be tricked by a powerful adversary. It's not about "proving it's you", in the way normal users would think about it. (If the text *looks* like it's written by their mom, of course it was their mom who sent it, right?!). Since reasons for signing can't be understood easily, I think the signing should always be on and only hide away the advanced option to disable it. > The at-risks users that I interviewed in August didn’t care or didn’t even know about the cryptographic signature of OpenPGP That is indeed a very serious problem regarding incoming as well. Bug 1731984. I don't think education can help users in general: it's way too complex to explain so that the average person would care about those details... It's on the software to do reasonable defaults and reasonable display for each case. I think we should close this bug wontfix, or even change the current setup to display an insecure encryption icon if you do not sign.