Email authentication??
Mr. Bad
mr.bad@pigdog.org
22 Jan 2000 14:14:22 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "SR" == Subba Rao <subb3@attglobal.net> writes:
SR> I have sucessfully installed GPG on my linux system and
SR> generated the keys of myself. One of my users has genrated his
SR> set of keys too. How can I authenticate the mail from this
SR> user, when he sends it while away from the office?
Email verification is one of the main uses of public-key encryption
tools (like GPG). So, you're definitely not alone. :-)
Your user -will- generally need to have his secret key available on
the machine that his/her mail program is on. The user will _sign_ the
message with his/her secret key, and then you can use their public
key to verify the message. The steps necessary are probably as
follows:
1) The user should use the "gpg --export" command to export their public
key to a file. You can then use the "gpg --import" command to import
their public key into your personal keyring.
2) If they will be working from a different machine, the user should
copy their secret ring to the new machine (just copying ~/.gnupg works
fine). They can also use "gpg --export" to export the key, and
re-import it on the new machine.
NOTE NOTE NOTE that the secret key and secret key ring is the
_MOST_PRECIOUS_ item in GPG, and utmost care should be taken in
moving it around. DEFINITELY make sure that he/she doesn't leave
the key or keyring anywhere out of his/her control! This cannot be
emphasized enough.
3) The user can then use a mail program to "sign" the message. If
their mail program doesn't support GPG, they can write the message
in a text editor, and then use the command "gpg --clearsign
[message]" to sign the file. They can then cut-and-paste the file
(with signature) into the mailer. NOTE that some mailers like
Netscape or Outlook will convert plain text mail to HTML or RTF by
default. Make sure that they use whatever settings necessary to
make the mail "plain text."
The "signature" will be a few lines of text around the body of the
message. You can see an example in this current email message.
4) When you receive the message, you can use a GPG-aware mailer to
"verify" the signed message. If you don't have a GPG-aware mailer,
you can save the message to a file, and use "gpg --verify" to
verify that the message is indeed from your user.
Another method that may be easier is to have your user log on to the
machine where you already have GPG installed, and use a mailer
there. HOWEVER!! Please note that they should use a secure terminal
program to log in to the machine, like SSH. ****Using Rlogin or telnet
is very bad****, since they will send their GPG passphrase over the
network without any encryption. Don't do that! Repeat: don't do that!
I hope that that helps somewhat. There are a number of GPG-aware mail
programs available from this URL:
http://www.gnupg.org/download.html
One that is very popular is Mutt (http://www.mutt.org/).
Anyways, good luck.
~Mr. Bad
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mr. Bad <mr.bad@pigdog.org>
Pigdog Journal | http://pigdog.org/ | RoR - Alucard
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE4iiuwbZezvPSYodkRAkaHAJ9HQN4mbbaKi2GnEIJza7zFDbJKNACfQKRq
Qv8fF8T5VBQ1HxxFOEAqDfo=
=MfmX
-----END PGP SIGNATURE-----