Getting ready to use gnupg for real

Steve Butler
Thu Jul 18 16:38:01 2002

1.  Good.
2.  Why RSA?  I'm doing DSH/ELG 2048 bit keys.  [The primary is 1024 by the
encrypting is 2048].
3.  Great.
4.  Just sign and encrypt the message.  I don't think md5sum will buy you

-----Original Message-----
From: Newton Hammet []
Sent: Tuesday, July 16, 2002 10:03 PM
Subject: Getting ready to use gnupg for real
Importance: High

Hello All,

   I have the possibility of "work-for-hire" situation coming up and my
wants secure email traffic between the 2 of us getting the work done.

   I have proposed that we do the following ::

1. Both install gnupg-1.0.7.

2. Both generate a key-pair, each key-pair containing 1 RSA-2048bit signing
key, and
1 RSA 2048bit
  encryption key.

3. Exchange public keys, sign em and all that.

4. A message consists of 2 parts:  1 message encrypted with public key of
                                   1 message which is the md5sum of the
message (+ date/time,
                                    and sender's name), signed with private
key of

It would seem that the above is maybe a reasonable protocol.  And 1 question
is, is
the above, or something
as safe, already available say, with the 'gpg -se' for signing and
encrypting the
same message, (I assume
gpg get's it right as to whose key to sign with and whose key to encrypt

And is md5sum still considered to be safe?  I hear everyone talking about
SHA1 these
days. I get the
feeling that some of this is already done automagically by gnupg but not
sure.  I have written
scripts to accomplish step 4 in reasonably automatic fashion, with the
exception of
passphrase prompting,
which I have eliminated for testing purposes by editting the keys and
changing to a
null passphrase.

Right now we have not done any of the steps.  I have done 1-4 already with 2
user ids
in order to
test my scripts.

Regards, Newton

Gnupg-users mailing list

CONFIDENTIALITY NOTICE:  This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.