Re: [exim] accepting email authenthicating on GPG/PGP signat…

Top Page
Delete this message
Reply to this message
Author: Klaus Ethgen
Date:  
To: exim-users
Subject: Re: [exim] accepting email authenthicating on GPG/PGP signature
Am Mi den 9. Apr 2014 um 9:46 schrieb Mike Cardwell:
[Encryption inside or outside of signing]
> That is not correct. With PGP, we always sign the ciphertext. We don't
> encrypt signed plaintext. (*)


You might be right with your concerns below but I just tested to encrypt
and sign a file and looking at the packages via gpgsplit. There is a
package 001 and one 018 on top and inside 018 is the signature. If you
have a look at [0] Section 4.3 you can see that 001 is the encrypted
session key.

It even makes fully sense this way around as the signature itself might
be sensitive data that is protected by the encryption.

> > Another problem is for mime signatures that can include several
> > multipart parts. Inline signatures are easy but seldom seen today.
>
> Mail::GnuPG is a very simple Perl module that will handle openpgp
> operations on multipart MIME emails. A Perl script to verify such
> an email would probably be about half a dozen lines of code.


Ok, I did not had a look into it.

Regards
Klaus

[0] http://www.ietf.org/rfc/rfc4880.txt
- -- 
Klaus Ethgen                              http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen <Klaus@???>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C