Getting ready to use gnupg for real

Newton Hammet newton@hammet.net
Thu Jul 18 12:43:02 2002


Hello All,

   I have the possibility of "work-for-hire" situation coming up and my potential
client
wants secure email traffic between the 2 of us getting the work done.

   I have proposed that we do the following ::

1. Both install gnupg-1.0.7.

2. Both generate a key-pair, each key-pair containing 1 RSA-2048bit signing key, and
1 RSA 2048bit
  encryption key.

3. Exchange public keys, sign em and all that.

4. A message consists of 2 parts:  1 message encrypted with public key of recipient.
                                   1 message which is the md5sum of the unencrypted
message (+ date/time,
                                    and sender's name), signed with private key of
sender.

It would seem that the above is maybe a reasonable protocol.  And 1 question is, is
the above, or something
as safe, already available say, with the 'gpg -se' for signing and encrypting the
same message, (I assume
gpg get's it right as to whose key to sign with and whose key to encrypt with).

And is md5sum still considered to be safe?  I hear everyone talking about SHA1 these
days. I get the
feeling that some of this is already done automagically by gnupg but not totally
sure.  I have written
scripts to accomplish step 4 in reasonably automatic fashion, with the exception of
passphrase prompting,
which I have eliminated for testing purposes by editting the keys and changing to a
null passphrase.

Right now we have not done any of the steps.  I have done 1-4 already with 2 user ids
in order to
test my scripts.

Regards, Newton