easy way to confirm email validity
Peter Todd
pete at petertodd.ca
Thu May 24 20:54:57 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, May 24, 2007 at 11:37:09AM -0700, ptr wrote:
>
> Agree with the DNS poisoning, my form would need to be SSL'ed with my private
> certificate.
>
> In terms of educating my recipients - yes, it may be tricky, that is
> probably the weakest point of my concept, will need to think how to approach
> it.
> The solution should be both easy for the recipient, but also somehow
> spam/hack proof.
> Errrr...
And when you think about it, if the user has to go to your site to
validate the email, why not just put the message on your site in the
first place?
> Just one more question:
> What parameters are used to create the hash? well, apart the message itself
> and my private key.
That's it.
As an example this email, signed by me, is using an inline PGP
signature. The *only* thing included in the hash is what is between the
START and END bits, that's it, no headers no nothing. I'm not positive,
but I belive the MIME based PGP is pretty similar. Of course, this means
that you can fake the headers without invalidating the signature...
Of course, it's also why it's so trivial to handle, just feed the
message to gpg --verify and check the result. Trivial.
- --
http://petertodd.ca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGVd+B3bMhDbI9xWQRAr1HAJsEKu/CPZsz6JMTRiAHNx4GWQgTzgCgjkwo
+wbmfNOugtlIIyoIKvxwEhU=
=G6h6
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list