[Dshield] Outlook & PGP signed e-mail. Was: ID theft ring hits 50 banks, firm says

Stephane Grobety security at admin.fulgan.com
Wed Aug 10 07:44:52 GMT 2005


Hello,

That's not a good idea if you ask me. Digitally signing the message
already guarantee that the message content hasn't been tampered with.
Also, it doesn't prevent message tampering: since the public key of
the recipient is, well, public, anyone could change the message and
re-generate an encrypted version that will check so you need to sign
the message anyway. Accidental changes are more easily checked using a
simple checksum: it is less demanding in infrastructure and
computation.

Plus, encrypting a message takes more resources than simply signing
it.

So in short: it doesn't work or, at best, it takes much more resources
than necessary (if you're using it only to prevent accidental
changes).

Good luck,
Stephane

BN> Since you are on the subject I just wanted to ask why you feel the
BN> need to encrypt the message? I remember (way to long ago) that it
BN> used to be quite common to include one version encrypted and one
BN> unencrypted so that the recipient can verify that the message has
BN> not been modified along the way.





More information about the list mailing list