Enigmail Forum

[ilurista]

Hi @ all,

I am new here in the forum, my english is not the best cause I´m from germany, but I hope you can understand it.
Like in the subject mentioned I tested to sign a blank message and send it to my own mail address.
The mail arrives but it isn´t signed why?
Isn´t it possible to send a signed blank mail to certify the senders address only?

Thanks for all answers!

Have a nice day, ilurista

[dan]

Hi and welcome,

Your English is fine.

When you send a blank email it will not be signed, even if you ask Enigmail to do so, because signing applies to the email payload only, therefore in a blank email there's nothing to sign. All email headers e.g. the Subject, Date, all Received headers, the "name" part of the From, etc. are not included in the signature and could therefore be forged. (This is obvious when you think that the headers are added to the message by the email client after the Enigmail processing; some headers are even added by MTAs in the path from sender to receiver.)

The sender's email address is mentioned in the user ID of the public key, so it's strictly bound to the key that was used to sign the message.
This does not suffice to "certify" the sender, though: when you receive a new public key you should check that it was really given to you by the intended owner. You can do that by checking the key fingerprint with the owner.