easy way to confirm email validity
ptr
peter_z_g at yahoo.co.uk
Thu May 24 20:37:09 CEST 2007
Agree with the DNS poisoning, my form would need to be SSL'ed with my private
certificate.
In terms of educating my recipients - yes, it may be tricky, that is
probably the weakest point of my concept, will need to think how to approach
it.
The solution should be both easy for the recipient, but also somehow
spam/hack proof.
Errrr...
Just one more question:
What parameters are used to create the hash? well, apart the message itself
and my private key.
Thanks
Peter
Peter Todd wrote:
>
> On Thu, May 24, 2007 at 10:29:11AM -0700, ptr wrote:
>>
>> I cannot "force" my recipients to install any PGP software so I was
>> thinking
>> about creating signature verification form on my website. If someone
>> wanted
>> to check if the email is really from me, he/she could paste the signed
>> email
>> part on the form, then the server-side script would verify that.
>>
>> I'm quite new to PGP, so correct me if I'm wrong and don't laugh too much
>> :)
>> ; would this be achievable?
>> I know I'd need to have my public key accessible to the validation
>> script.
>>
>>
>> While writting this response I've actually stumbled across a page that I
>> think does what I need (http://www.sin-online.nl/ds/)
>>
>> Actual coding of the script should be v.easy, I'm just not sure if the
>> concept is correct.
>
> A big problem with the idea is what your telling your recipients, IE
> that by going to a completely untrusted site you can somehow trust an
> email. I suspect that a recipient with enough technical know how to
> properly use such a verifier, IE type in the url themselves and make
> sure the site is ssl encrypted with a trusted certificate, wouldn't find
> it that much harder to simply install PGP software.
>
> For instance the page you mentioned is vulnerable to dns poisoning
> attacks as it's not SSL encrypted. Theoretical? Sure, but forged email
> messages aren't all that much less theoretical if your recipients know
> how to look at headers.
>
> --
> http://petertodd.ca
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
--
View this message in context: http://www.nabble.com/easy-way-to-confirm-email-validity-tf3808131.html#a10789992
Sent from the GnuPG - User mailing list archive at Nabble.com.
More information about the Gnupg-users
mailing list