[Dshield] Outlook & PGP signed e-mail. Was: ID theft ring hits 50 banks, firm says

Bo Nordgren bo at nordgren.net
Wed Aug 10 07:55:18 GMT 2005


> That's not a good idea if you ask me. Digitally signing the message
> already guarantee that the message content hasn't been tampered with.
> Also, it doesn't prevent message tampering: since the public key of
> the recipient is, well, public, anyone could change the message and
> re-generate an encrypted version that will check so you need to sign
> the message anyway. Accidental changes are more easily checked using a
> simple checksum: it is less demanding in infrastructure and
> computation.

Well.. I do have to disagree since it takes the private key to encrypt the message and
the public key is only used for unencrypting it. If the private key is available you can
just chuck the signing out the window since it becomes a pretty useless waste of resources.

I also think you missunderstood me. The thought was to have one copy in plaintext and
one encrypted so that one can be compared with the other for verification. Perhaps I am
lost in semantics here and we are barking up the same tree but never mind.

> Plus, encrypting a message takes more resources than simply signing
> it.
> 
> So in short: it doesn't work or, at best, it takes much more resources
> than necessary (if you're using it only to prevent accidental
> changes).

I am not sure what you are advocating here. Yes it does take more resources to encrypt
the message but those are mostly on the workstation that generaly have CPU cycles to
spare before it does things like virusscan outgoing email etc.




More information about the list mailing list