Email authentication??

Mr. Bad mr.bad@pigdog.org
22 Jan 2000 14:14:22 -0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "SR" == Subba Rao <subb3@attglobal.net> writes:
SR> I have sucessfully installed GPG on my linux system and SR> generated the keys of myself. One of my users has genrated his SR> set of keys too. How can I authenticate the mail from this SR> user, when he sends it while away from the office? Email verification is one of the main uses of public-key encryption tools (like GPG). So, you're definitely not alone. :-) Your user -will- generally need to have his secret key available on the machine that his/her mail program is on. The user will _sign_ the message with his/her secret key, and then you can use their public key to verify the message. The steps necessary are probably as follows: 1) The user should use the "gpg --export" command to export their public key to a file. You can then use the "gpg --import" command to import their public key into your personal keyring. 2) If they will be working from a different machine, the user should copy their secret ring to the new machine (just copying ~/.gnupg works fine). They can also use "gpg --export" to export the key, and re-import it on the new machine. NOTE NOTE NOTE that the secret key and secret key ring is the _MOST_PRECIOUS_ item in GPG, and utmost care should be taken in moving it around. DEFINITELY make sure that he/she doesn't leave the key or keyring anywhere out of his/her control! This cannot be emphasized enough. 3) The user can then use a mail program to "sign" the message. If their mail program doesn't support GPG, they can write the message in a text editor, and then use the command "gpg --clearsign [message]" to sign the file. They can then cut-and-paste the file (with signature) into the mailer. NOTE that some mailers like Netscape or Outlook will convert plain text mail to HTML or RTF by default. Make sure that they use whatever settings necessary to make the mail "plain text." The "signature" will be a few lines of text around the body of the message. You can see an example in this current email message. 4) When you receive the message, you can use a GPG-aware mailer to "verify" the signed message. If you don't have a GPG-aware mailer, you can save the message to a file, and use "gpg --verify" to verify that the message is indeed from your user. Another method that may be easier is to have your user log on to the machine where you already have GPG installed, and use a mailer there. HOWEVER!! Please note that they should use a secure terminal program to log in to the machine, like SSH. ****Using Rlogin or telnet is very bad****, since they will send their GPG passphrase over the network without any encryption. Don't do that! Repeat: don't do that! I hope that that helps somewhat. There are a number of GPG-aware mail programs available from this URL: http://www.gnupg.org/download.html One that is very popular is Mutt (http://www.mutt.org/). Anyways, good luck. ~Mr. Bad - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mr. Bad <mr.bad@pigdog.org> Pigdog Journal | http://pigdog.org/ | RoR - Alucard ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4iiuwbZezvPSYodkRAkaHAJ9HQN4mbbaKi2GnEIJza7zFDbJKNACfQKRq Qv8fF8T5VBQ1HxxFOEAqDfo= =MfmX -----END PGP SIGNATURE-----