Getting Started...

Neil Williams linux at
Mon Jul 25 12:32:46 CEST 2005

On Monday 25 July 2005 4:06 am, Michael Nguyen wrote:
> Eh...something very custom for our customer base.  It wouldn't be useful to
> anyone else.

Assumption is the mother of all $^£&*^ ups.

> Basically, what I'm going to do is allow a PGP option for our 
> users.  We'll have a bunch of key generation and storage stuff, but the
> part I'm going to write is this:
>  - Email comes in for user
>  - If user is set to have "PGP enabled", check to see if the email is
> encrypted
>  - If encrypted, check the user's key rings and decrypt it

Presumably users are aware that this would render their own keys insecure so 
you're using "group" or "corporate" keys via your key generation/storage? 

Why then check the *user's* keyrings? Shouldn't that be the central keyring of 
generated keys (presumably with no passphrase).

Users should not be given the impression that these keys are secure for use 
with personal email, keysigning etc.

>  - Write this new decrypted buffer to the maildir

For absolutely anyone to read - you're merely using encryption for the 
external part of the mail chain? You assume that your internal security is 
sufficient to prevent unauthorised users within the company reading the 

> That's really rough, but I hope you see what I'm getting at.

Well I wouldn't use it! :-)

If I encrypt to someone, I expect that person to be the only person to be able 
to decrypt the message. I do not expect some automated script to be able to 
decrypt it in passing - I wouldn't sign any such key so exactly who or what 
is encrypting to this script?

Have you looked at x.509 certificates that have a different trust model, 
perhaps more suited to a "group" or "corporate" model rather than the 
individual trust inherent in GnuPG/PGP?

> I intend to 
> do the same thing for outgoing mail.

Automated encryption is fine - if you've got sufficient keys - but automated 
decryption always weakens the security and can make encryption itself 
worthless. How secure is the server that runs the script? How secure do you 
actually need the communication? Wouldn't using standard protocols via SSH 
accomplish the same end via much simpler (and standardised) methods?

I use a script to automatically encrypt messages from the server to those 
members who have suitable keys, but I'd never trust any server open to the 
internet sufficiently to decrypt messages automatically.


Neil Williams

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050725/08e5ebc5/attachment.pgp

More information about the Gnupg-users mailing list