Help with GNU PGP - no password prompt when sending e-mails
faramir.cl at gmail.com
Sat Nov 20 17:32:18 CET 2010
-----BEGIN PGP SIGNED MESSAGE-----
El 20-11-2010 12:41, Gold IsMoney escribió:
> Thank you for the quick reply. You're right - I didn't realize the
> thing about signing since I usually don't use it. It makes perfect
> sense though - so I know now that if I receive an encrypted e-mail from
> a sender but it's only encrypted, not signed - all I know is that the
> sender has access to the private key.. not necessarily the password. It
> 'should' be the sender, but not necessarily.
No, no, he didn't have access to any private key, he just had access
to YOUR public key.
To encrypt a message, I need access to the public key of the
recipient, and since it is public, anyone can have access to it without
any security risk.
To sign a message, I need access to my own private key.
To check a signature issued by someone else, I need access to the
public key of the sender.
To decrypt a message, I need access to my private key.
To "prove" a message comes from somebody, the message should have a
signature, otherwise it can come from anybody with access to the
sender's e-mail account.
To prevent people from signing things with your key (or reading your
encrypted messages), you need to use a good password (more likely, a
passphrase), and don't leave your computer alone while the password is
cached in memory (you can set a short amount of time for it to be
remembered, or you can clean the cached password before leaving).
To prevent people from sending messages using your e-mail address, you
1.- Protect your windows account with a password, and never leave the
computer with your session open.
2.- Don't let Thunderbird store your e-mail account password (so you
would have to enter it manually each and every time you want to use the
e-mail account... very inconvenient).
3.- Protect Thunderbird's password database with a Master Password, and
close Thunderbird each time you leave the computer alone.
Keep in mind that, according to OpenPGP point of view (if I understood
it right), your identity is checked by your signature, not by the e-mail
account used to send the message.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Gnupg-users