Re: [exim] accepting email authenthicating on GPG/PGP signat…

Top Page
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: exim-users
Subject: Re: [exim] accepting email authenthicating on GPG/PGP signature
* on the Wed, Apr 09, 2014 at 10:35:30AM +0100, Klaus Ethgen wrote:

> [Encryption inside or outside of signing]
>> That is not correct. With PGP, we always sign the ciphertext. We don't
>> encrypt signed plaintext. (*)
>
> You might be right with your concerns below but I just tested to encrypt
> and sign a file and looking at the packages via gpgsplit. There is a
> package 001 and one 018 on top and inside 018 is the signature. If you
> have a look at [0] Section 4.3 you can see that 001 is the encrypted
> session key.
>
> It even makes fully sense this way around as the signature itself might
> be sensitive data that is protected by the encryption.


I immediately doubted myself after sending that message. I've always had
it in my head that that's the way it works, but I could be wrong. I'll
have a play with gpgsplit myself. I'd never come across that utility
before.

-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4