easy way to confirm email validity

Peter Todd pete at petertodd.ca
Thu May 24 19:43:13 CEST 2007


On Thu, May 24, 2007 at 10:29:11AM -0700, ptr wrote:
> 
> I cannot "force" my recipients to install any PGP software so I was thinking
> about creating signature verification form on my website. If someone wanted
> to check if the email is really from me, he/she could paste the signed email
> part on the form, then the server-side script would verify that.
> 
> I'm quite new to PGP, so correct me if I'm wrong and don't laugh too much :)
> ; would this be achievable?
> I know I'd need to have my public key accessible to the validation script.
> 
> 
> While writting this response I've actually stumbled across a page that I
> think does what I need (http://www.sin-online.nl/ds/)
> 
> Actual coding of the script should be v.easy, I'm just not sure if the
> concept is correct.

A big problem with the idea is what your telling your recipients, IE
that by going to a completely untrusted site you can somehow trust an
email. I suspect that a recipient with enough technical know how to
properly use such a verifier, IE type in the url themselves and make
sure the site is ssl encrypted with a trusted certificate, wouldn't find
it that much harder to simply install PGP software.

For instance the page you mentioned is vulnerable to dns poisoning
attacks as it's not SSL encrypted. Theoretical? Sure, but forged email
messages aren't all that much less theoretical if your recipients know
how to look at headers.

-- 
http://petertodd.ca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/attachments/20070524/cb10e341/attachment.pgp 


More information about the Gnupg-users mailing list