What is PGP and why is John signing his messages using it?
Good question. You may have heard of PGP, which stands for "Pretty Good Privacy". It's primary use is for data encryption, and a lot of people are really down on encryption these days, because of the War on Terrorism. That's a valid discussion to have, and one that I'll be happy to have with you, but it has nothing to do with why I sign my e-mail.
Without getting into how PGP works, because there are people who can explain it a lot better than I can, the same technology that enables you to encrypt your messages also enables you to sign them. The good thing about this is that even people who don't use PGP can read your messages, because the messages aren't encrypted or disguised in any way -- there's just some text at the top and some text at the bottom. But people who do use PGP can verify that it was actually you who sent the message.
That's the point. It's a reliable signature, which is based upon the message that you sent. So if anybody ever alters the message that you wrote, even a little, the signature will become invalid. The message can still be read, and non-PGP users will never even know that the signature is invalid, but PGP users will know that it is either not the exact message that you wrote or that it was not signed with the correct private key.
OK, so for whom might this be important? Anybody who might have fake e-mail generated under their name. So does John think he's so famous and important that people are going to send e-mail with his name on it? Heck no. I've used PGP off and on for several years, and I've been considering signing everything for a long time, just because it's a good idea (which I'll get into), but the straw that broke the camel's back was Daniel Pearl.
You know Daniel Pearl -- the Wall Street Journal reporter who was kidnapped in Pakistan. As I'm writing this, his fate is still unknown (Update: As of 2/21/02, it appears that the bastards killed him). But something really interesting happened a couple of days ago. There were e-mails sent, apparently by the kidnappers, that gave false information to the investigators. At long last, they finally determined that they e-mails were fake using other methods, but they could have known immediately. No matter how bad people are, there are times when they want people to know that it's really them talking, or e-mailing, or whatever.
If you used PGP, you could easily just click on an icon and tell PGP to verify the signature. The software finds the signature and pops up the name and e-mail address of the person that signed it, based on the public keys that you have in your keyring -- again, I'll try not to get into the techical details of how it works. But it's not difficult... it's downright easy.
If PGP (which is an open standard and freely available) were more widely accepted, the usefulness of e-mail communications will be multiplied. Today, any time you need a signature on something, we have to dust off the old fax machine, because for some reason a scratch of the pen is still the most official thing we have. But signatures can be easily forged. PGP signatures are better.
So that's my point. The majority of people aren't even going to consider using PGP if those of us who understand and support the technology don't start using it regularly. So I flipped the switch on 2/5/2002, and I will try to send PGP-signed e-mail from now on.