GPG support in Mahogany
Toxik - Fabian Rodriguez
Tue Dec 10 20:49:03 2002
-----BEGIN PGP SIGNED MESSAGE-----
> We are beginning to provide support for PGP operations in Mahogany,
You mean OpenPGP of course... or GnuPG... ;)
The only "problem" I see in implementing signature + encyption as
encrpyt(sign(content)) is that it would require 2 operations on the
recipient's end: one for decrypting, and *then* one for verification. The
same with sign(encrypt(content)).
> Something more specific to mails. When a message is signed, we should
> verify that the 'From:' header actually matches one of the IDs of the
> signing key. This prevents an attacker from forging headers to make the
> recipient believe he got the message from a third person.
What if I forward an email signed by somebody else ?
"From:" headers are the easiest to fake, if you plan to include this, IMHO,
it should be optional, not obligatory.
Seomthing nice would be to use the email to lookup/retrieve public keys
directly (right-clicking on the email ?).
Fabian Rodriguez - Toxik Technologies, Inc.
www.toxik.com - (514) 528-6945 @221
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.92-cvs
-----END PGP SIGNATURE-----