Help with GNU PGP - no password prompt when sending e-mails

Faramir at
Sat Nov 20 17:32:18 CET 2010

Hash: SHA256

El 20-11-2010 12:41, Gold IsMoney escribió:
> Thank you for the quick reply.  You're right - I didn't realize the
> thing about signing since I usually don't use it.  It makes perfect
> sense though - so I know now that if I receive an encrypted e-mail from
> a sender but it's only encrypted, not signed - all I know is that the
> sender has access to the private key.. not necessarily the password. It
> 'should' be the sender, but not necessarily.

  No, no, he didn't have access to any private key, he just had access
to YOUR public key.

  To encrypt a message, I need access to the public key of the
recipient, and since it is public, anyone can have access to it without
any security risk.

  To sign a message, I need access to my own private key.

  To check a signature issued by someone else, I need access to the
public key of the sender.

  To decrypt a message, I need access to my private key.

  To "prove" a message comes from somebody, the message should have a
signature, otherwise it can come from anybody with access to the
sender's e-mail account.

  To prevent people from signing things with your key (or reading your
encrypted messages), you need to use a good password (more likely, a
passphrase), and don't leave your computer alone while the password is
cached in memory (you can set a short amount of time for it to be
remembered, or you can clean the cached password before leaving).

  To prevent people from sending messages using your e-mail address, you
can either:

1.- Protect your windows account with a password, and never leave the
computer with your session open.

2.- Don't let Thunderbird store your e-mail account password (so you
would have to enter it manually each and every time you want to use the
e-mail account... very inconvenient).

3.- Protect Thunderbird's password database with a Master Password, and
close Thunderbird each time you leave the computer alone.

  Keep in mind that, according to OpenPGP point of view (if I understood
it right), your identity is checked by your signature, not by the e-mail
account used to send the message.

  Best Regards
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla -


More information about the Gnupg-users mailing list