Would this be safe?

Adrian 'Dagurashibanipal' von Bidder avbidder at fortytwo.ch
Thu Oct 23 09:15:06 CEST 2003


On Wednesday 22 October 2003 00:34, Jeff Schmidt wrote:

> willing to critique a potential use I'm thinking of putting GPG to.  In
> a nutshell, I have a website that I want to have a form that users can
> fill out (on an ssl-secured page) that would include personal
> information (possibly credit card or other payment info).  The company

Looks fine so far.

[signing the mails]
Let's first look at what attacks are possible: basically, somebody could send 
a bogus order email directly, instead of entering it in the web form.

From what you say (order emails are processed automatically, web site is on a 
big hosting server anyway), I think your assessment is correct that signing 
doesn't buy you a big benefit.


To which key do you want to encrypt the emails? I would recommend that you 
generate a special key pair for this and do not just use the key pair of the 
show owner. So either the shop owner or the ordering system can change the 
key without much hassle - and as gpg with multiple secret keys works just 
normal (selects the right secret key to decrypt automatically), the 
additional work is close to zero.

cheers
-- vbi


-- 
featured product: PostgreSQL - http://postgresql.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 331 bytes
Desc: signature
Url : /pipermail/attachments/20031023/bb00fd61/attachment.bin


More information about the Gnupg-users mailing list