Would this be safe?
Adrian 'Dagurashibanipal' von Bidder
avbidder at fortytwo.ch
Thu Oct 23 09:15:06 CEST 2003
On Wednesday 22 October 2003 00:34, Jeff Schmidt wrote:
> willing to critique a potential use I'm thinking of putting GPG to. In
> a nutshell, I have a website that I want to have a form that users can
> fill out (on an ssl-secured page) that would include personal
> information (possibly credit card or other payment info). The company
Looks fine so far.
[signing the mails]
Let's first look at what attacks are possible: basically, somebody could send
a bogus order email directly, instead of entering it in the web form.
From what you say (order emails are processed automatically, web site is on a
big hosting server anyway), I think your assessment is correct that signing
doesn't buy you a big benefit.
To which key do you want to encrypt the emails? I would recommend that you
generate a special key pair for this and do not just use the key pair of the
show owner. So either the shop owner or the ordering system can change the
key without much hassle - and as gpg with multiple secret keys works just
normal (selects the right secret key to decrypt automatically), the
additional work is close to zero.
cheers
-- vbi
--
featured product: PostgreSQL - http://postgresql.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 331 bytes
Desc: signature
Url : /pipermail/attachments/20031023/bb00fd61/attachment.bin
More information about the Gnupg-users
mailing list