[Enigmail] signature test

Robert J. Hansen rjh at sixdemonbag.org
Sat Feb 16 08:56:04 PST 2008 

Florence Fix wrote:
> I just installed enigmail on thunderbird.  I am a university teacher and
> I would like to use enigmail to have a means to prove that a message
> sent to a student was really sent by me or that it has been tempered with.

Unfortunately, this is not quite what Enigmail does.  A good signature 
will prove to people that the message really came from you, assuming 
they trust your goodwill, but a bad or missing signature proves 
absolutely nothing.

> I am a non-techie so I would like to know if somebody on this list
> (which has been recommended for this purpose by the enigmail quick start
> guide) could confirm that this message has been correctly signed; I have
> the automatic signature option activated.

Without your public key, none of us can verify your signature.  I would 
suggest uploading it to the keyservers.

> How can I now check and prove that this message has been sent by me and
> has not been tempered with?

The process for checking signatures is pretty straightforward.

1.  Make sure you trust the person.  A signature reflects an already
     existing trust relationship.  A signature cannot make a message
     from someone you don't trust suddenly trustworthy.

2.  Make sure you have the right key.  Anyone can create a key which
     claims to be George W. Bush's.  Similarly, anyone can create a
     key which claims to be Florence Fix's, or Robert J. Hansen's.  The
     way I make it easy for people to get the right key is I print my
     key fingerprint on a business card.  Fingerprints are effectively
     unforgeable.

     I would also consider putting the fingerprint on the class syllabus
     when you hand it out to people.

3.  Your students will need to tell Enigmail they've confirmed the key
     labeled "Florence Fix" really belongs to you.  They can do this by:

     a.  Creating their own keypair in Enigmail
     b.  Opening the Key Management window in Enigmail
     c.  Entering "Florence Fix" into the search box at the very top
     d.  Finding your key in the list below
     e.  Right-clicking on it and choosing "Key Properties"
     f.  Checking the fingerprint on that key is the same as the
         fingerprint on the syllabus
     g.  Closing the Key Properties window and returning to the Key
         Management window
     h.  Right-clicking on your key again and choosing "Sign"
     i.  Clicking "OK"



Incidentally, you're not the only academic on this list.  I'm a Ph.D. 
candidate in computer science over at the University of Iowa.  If you 
find yourself having problems with using Enigmail in a university 
setting, please, feel free to holler at me.  :)

More information about the Enigmail mailing list