how to read sent & encrypted mails

sen_ml@eccosys.com sen_ml@eccosys.com
Thu, 16 Nov 2000 15:16:51 +0900 (JST) 

From: Christoph Hertel <c.hertel@usa.net>
Subject: how to read sent & encrypted mails
Date: Wed, 15 Nov 2000 19:48:34 +0100


> Whenever I send encrypted mail, it is put in my sent-folder, too. The

> problem is, I cannot read it, since it is encrypted to the recipient.

> 

> What should I do? Send a Bcc to myself and double-encrypt the message?

> That works (lovely mua called mutt). The mail just gets a little bigger

> (or does the size double?) 


the message should only be a little bit larger because the way this is
probably done is that an extra pk encrypted session key is added to
the message (small) -- see rfc 2440 if interested.


> Does this confuse the average pgp(gpg)-user? Are there better solutions?

> Am I the first who has this problem? Can anybody give me an argument,

> why I should not double-encrypt my mail or why *only* the recipient

> should able to read a message.


1) if your secret key is compromised later and someone has access to
messages you sent via recipients, then they can read those messages if
you use "encrypt-to-self" features.

2) if you are not using the "speculative keyid" feature (see rfc 2440)
-- which you probably aren't if you are sending to users who are using
pgp (i.e. not gnupg) -- you are giving away your keyid info.  not a
big deal for most situations because you're likely doing that via the
envelope and message headers, but a problem if you have disguised
those through other means.

my preference is for the mua to create two separate messages -- one
encrypted to the recipient which is sent off and one stored for later
reference (encrypted or not -- an option perhaps).

i don't know of an mua/client which will do this.  perhaps the mutt
authors can be convinced to do so, if mutt doesn't already ;-)

iirc, adam back made some comments about this earlier this year after
the adk bug incident.  i think those comments may have been forwarded
to some pgp list (may be pgp-users@cryptorights.org?).

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org