Getting ready to use gnupg for real

Adrian 'Dagurashibanipal' von Bidder
Thu Jul 18 14:21:01 2002

Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Wed, 2002-07-17 at 06:49, Newton Hammet wrote:
> 1. Both install gnupg-1.0.7.
> 2. Both generate a key-pair, each key-pair containing 1 RSA-2048bit signi=
ng key, and
> 1 RSA 2048bit
>   encryption key.

Why RSA? gnupg per default uses DSA/ElG. keys, so I would go with the
default unless you have some specific requirement.
> 3. Exchange public keys, sign em and all that.

So far, so good.

> 4. A message consists of 2 parts:  1 message encrypted with public key of=
>                                    1 message which is the md5sum of the u=
> message (+ date/time,
>                                     and sender's name), signed with priva=
te key of
> sender.

Why such a complicated protocol? Many e-mail clients (sylpheed,
evolution, kmail, mutt, eudora, ...) offer built in gpg encryption &
signing, which guarantees privacy, authenticity and integrity.

The way it is done by the standard is: first, the message is signed
(with the sender's private key). The signed message is then encrypted
with the recipients public key.

The one unsolved problem (but your proposed system would not solve that,
also) is that Mail *headers* (To:, From:, Subject: etc.) are not
protected by signature and encryption, so you'll have to be very careful
what to put in the subject of your mail.

Also: be aware that your privacy is only protected as far as your secret
key is protected - the passwords users usually chose can be guessed by
brute force relatively quickly, if some attacker gains the secret key.

-- vbi

secure email with gpg               

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.0.7 (GNU/Linux)