Using PGP for signing email is a good idea, but few people do it, which is a common argument against email in general. One big argument against it, is the confusion of most receivers.
Currently you have two options for signing an email with PGP. PGP/INLINE means wrapping some text around your email. In this case, most receivers wonder about the strange garbage in your email. The other option is PGP/MIME, which means the receiver gets a weird attachment he cannot open.
That can be solved, if each and every email client out there would acknowledge PGP and hide it by default. Maybe show a little "this is verified and secure" icon somewhere. However, this is not feasible. What we need is some way to sneak in the signature, such that ignorant email clients ignore it.
The email headers would be possible. There are already a wide array of header fields, so adding something is not a problem. For example, spam detection software adds some fields too. As far as I know every email client out there ignores unknown header fields.
Assume the body of your email is the content of a file called
Then you can generate a detached sign:
gpg --output foo.sig --detach-sign foo
For an email we need ASCII, not binary, so we use Base64 to encode the sign:
Which gives us some data like this:
iQEcBAABAgAGBQJQg8ZvAAoJEKm3M8a3pi2iXpoH/1ykZS5/vMuTMJZKbLUaU2kUEY+3GaW5GgRN 3xH0BRWxAjxaT83K9DPnJhyqSBISnIO/Jg0QAkWv37gnUDw6YtiD/7nzfqsn/tiGQZqviYRFvKV9 QINRvilRFzy/EWZFVLPQGiUfnkDf4URqcIf4giQkm+PlSJnQ/Zn3wmw8iseixlFdCZftRKEfgEYP d4M2Us+2iYwQeMzLtfAYY6qa46qshirA8dxCaAdnQwk0bO2GuR2dgM2E0l797PmE1vtTZMwsCpv1 2GOTSevxZ6nOb5ylgI8MvUNAAgz41zmlAOZwMQchHM7m8GhJ3vuAcNiSH5RbOWo6SXbhyaEp9bkq tpo=
Put this string into an email header called
and use foo for its content.
Now we have successfully signed the email
and the receiver can verify it with our public key.
We might also want some optional fields, so receiver can fetch our public key for verification. For example:
PGP-pubkey-url:URL, where the receiver can fetch our public key.
PGP-keyserver:URL, where the receiver can look up our email address to get our public key.
PGP-pubkey-fingerprint:short fingerprint of our public key to verify our public key fetched from somewhere in the internet.
Those are probably not enough and might even be too much. Some people who know more about security than I do should discuss that. Personally, I foremost want better usability and graceful degradation.