GPG support in Mahogany

Toxik - Fabian Rodriguez Fabian.Rodriguez@Toxik.com
Tue Dec 10 20:49:03 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> We are beginning to provide support for PGP operations in Mahogany[1],
You mean OpenPGP of course... or GnuPG... ;)

The only "problem" I see in implementing signature + encyption as
encrpyt(sign(content)) is that it would require 2 operations on the
recipient's end: one for decrypting, and *then* one for verification. The
same with sign(encrypt(content)).

> Something more specific to mails. When a message is signed, we should
> verify that the 'From:' header actually matches one of the IDs of the
> signing key. This prevents an attacker from forging headers to make the
> recipient believe he got the message from a third person.

What if I forward an email signed by somebody else ? 

"From:" headers are the easiest to fake, if you plan to include this, IMHO,
it should be optional, not obligatory.
Seomthing nice would be to use the email to lookup/retrieve public keys
directly (right-clicking on the email ?).

Fabian Rodriguez - Toxik Technologies, Inc.
www.toxik.com - (514) 528-6945 @221
OpenPGP: 0x5AF2A4D5 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.92-cvs

iD8DBQE99kU3fUcTXFrypNURAr23AJ4xBKc0hPATUgfZijK0YRkInBCG9wCgtvuc
86YtdD+4MdElaeZWnQlqu5s=
=EDkb
-----END PGP SIGNATURE-----