GPG support in Mahogany

[Xavier Nodet]

On Tue, 10 Dec 2002 14:49:34 -0500 Toxik - Fabian Rodriguez <Fabian.Rodriguez@Toxik.com> wrote:

>> We are beginning to provide support for PGP operations in Mahogany[1],
> You mean OpenPGP of course... or GnuPG... ;)

Oops, sorry! ;) Yes, yes...

> The only "problem" I see in implementing signature + encyption as
> encrpyt(sign(content)) is that it would require 2 operations on the
> recipient's end: one for decrypting, and *then* one for verification. The
> same with sign(encrypt(content)).

>> Something more specific to mails. When a message is signed, we should
>> verify that the 'From:' header actually matches one of the IDs of the
>> signing key. This prevents an attacker from forging headers to make the
>> recipient believe he got the message from a third person.

> What if I forward an email signed by somebody else ? 

If you forward the whole message, then the check should be against the
'forwarded headers'. This won't be so simple. 

Maybe simply displaying the primary ID of the signing key is enough,
after all...

> "From:" headers are the easiest to fake, if you plan to include this, IMHO,
> it should be optional, not obligatory.

Of course this would be optional.

> Seomthing nice would be to use the email to lookup/retrieve public keys
> directly (right-clicking on the email ?).

We already have a pop-up menu when right-clicking an email address. It
should be easy to add a 'look-up public key' entry. Thanks for the
suggestion.

-- 
Xavier Nodet
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Benjamin Franklin, 1759.