Using GPG to create virtual email addresses

Jacob Anawalt
Thu Oct 2 03:19:01 2003

Jacob Anawalt said:
> Maybe there is some
> 'light signature' option that would work better.

Let me expand on this idea a little more. It seems that a signature must
have something that says what encryption was used and some info that
allows the unencoder to know who's signature it is and then an encoded
hash of the data it is signing. When I sign a lot of data the signature is
large. When I sign very little data, it is small. In either case there
seems to be a substantial amount of header data.

If we pre-agree on an algorithm and we know externally the claimed 'owner'
of the signature by looking at the MAIL FROM value, how small can the
signature be? Could it fit within (64 - size of GPG id + 1) and be only
local-part compliant data?

I would much prefer the double encrypted data idea, but if that is out of
the question then I would at least want a piece of signed data accessable
by the RCPT TO stage to help show the MAIL FROM was not forged.

There hasn't been a response yet so I wonder if I'm asking in the wrong
place or if people are reading this and rolling their eyes. Even a quick
note to say I'm way off base or looking in the wrong direction would be
appreciated. ;)

Trying out SquirrelMail