Getting ready to use gnupg for real

Steve Butler sbutler@fchn.com
Thu Jul 18 16:38:01 2002 

1.  Good.
2.  Why RSA?  I'm doing DSH/ELG 2048 bit keys.  [The primary is 1024 by the
encrypting is 2048].
3.  Great.
4.  Just sign and encrypt the message.  I don't think md5sum will buy you
anything.

-----Original Message-----
From: Newton Hammet [mailto:treeflyr@io.com]
Sent: Tuesday, July 16, 2002 10:03 PM
To: gnupg-users@gnupg.org
Subject: Getting ready to use gnupg for real
Importance: High



Hello All,

   I have the possibility of "work-for-hire" situation coming up and my
potential
client
wants secure email traffic between the 2 of us getting the work done.

   I have proposed that we do the following ::

1. Both install gnupg-1.0.7.

2. Both generate a key-pair, each key-pair containing 1 RSA-2048bit signing
key, and
1 RSA 2048bit
  encryption key.

3. Exchange public keys, sign em and all that.

4. A message consists of 2 parts:  1 message encrypted with public key of
recipient.
                                   1 message which is the md5sum of the
unencrypted
message (+ date/time,
                                    and sender's name), signed with private
key of
sender.

It would seem that the above is maybe a reasonable protocol.  And 1 question
is, is
the above, or something
as safe, already available say, with the 'gpg -se' for signing and
encrypting the
same message, (I assume
gpg get's it right as to whose key to sign with and whose key to encrypt
with).

And is md5sum still considered to be safe?  I hear everyone talking about
SHA1 these
days. I get the
feeling that some of this is already done automagically by gnupg but not
totally
sure.  I have written
scripts to accomplish step 4 in reasonably automatic fashion, with the
exception of
passphrase prompting,
which I have eliminated for testing purposes by editting the keys and
changing to a
null passphrase.

Right now we have not done any of the steps.  I have done 1-4 already with 2
user ids
in order to
test my scripts.

Regards, Newton

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


CONFIDENTIALITY NOTICE:  This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.