[Dshield] Outlook & PGP signed e-mail. Was: ID theft ring hits 50 banks, firm says

Stephane Grobety security at admin.fulgan.com
Wed Aug 10 07:44:52 GMT 2005


That's not a good idea if you ask me. Digitally signing the message
already guarantee that the message content hasn't been tampered with.
Also, it doesn't prevent message tampering: since the public key of
the recipient is, well, public, anyone could change the message and
re-generate an encrypted version that will check so you need to sign
the message anyway. Accidental changes are more easily checked using a
simple checksum: it is less demanding in infrastructure and

Plus, encrypting a message takes more resources than simply signing

So in short: it doesn't work or, at best, it takes much more resources
than necessary (if you're using it only to prevent accidental

Good luck,

BN> Since you are on the subject I just wanted to ask why you feel the
BN> need to encrypt the message? I remember (way to long ago) that it
BN> used to be quite common to include one version encrypted and one
BN> unencrypted so that the recipient can verify that the message has
BN> not been modified along the way.

More information about the list mailing list