linux at codehelp.co.uk
Mon Jul 25 12:32:46 CEST 2005
On Monday 25 July 2005 4:06 am, Michael Nguyen wrote:
> Eh...something very custom for our customer base. It wouldn't be useful to
> anyone else.
Assumption is the mother of all $^£&*^ ups.
> Basically, what I'm going to do is allow a PGP option for our
> users. We'll have a bunch of key generation and storage stuff, but the
> part I'm going to write is this:
> - Email comes in for user
> - If user is set to have "PGP enabled", check to see if the email is
> - If encrypted, check the user's key rings and decrypt it
Presumably users are aware that this would render their own keys insecure so
you're using "group" or "corporate" keys via your key generation/storage?
Why then check the *user's* keyrings? Shouldn't that be the central keyring of
generated keys (presumably with no passphrase).
Users should not be given the impression that these keys are secure for use
with personal email, keysigning etc.
> - Write this new decrypted buffer to the maildir
For absolutely anyone to read - you're merely using encryption for the
external part of the mail chain? You assume that your internal security is
sufficient to prevent unauthorised users within the company reading the
> That's really rough, but I hope you see what I'm getting at.
Well I wouldn't use it! :-)
If I encrypt to someone, I expect that person to be the only person to be able
to decrypt the message. I do not expect some automated script to be able to
decrypt it in passing - I wouldn't sign any such key so exactly who or what
is encrypting to this script?
Have you looked at x.509 certificates that have a different trust model,
perhaps more suited to a "group" or "corporate" model rather than the
individual trust inherent in GnuPG/PGP?
> I intend to
> do the same thing for outgoing mail.
Automated encryption is fine - if you've got sufficient keys - but automated
decryption always weakens the security and can make encryption itself
worthless. How secure is the server that runs the script? How secure do you
actually need the communication? Wouldn't using standard protocols via SSH
accomplish the same end via much simpler (and standardised) methods?
I use a script to automatically encrypt messages from the server to those
members who have suitable keys, but I'd never trust any server open to the
internet sufficiently to decrypt messages automatically.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050725/08e5ebc5/attachment.pgp
More information about the Gnupg-users