[Dshield] Outlook & PGP signed e-mail. Was: ID theft ring hits 50 banks, firm says

Johannes B. Ullrich jullrich at euclidian.com
Wed Aug 10 12:14:09 GMT 2005


> Since you are on the subject I just wanted to ask why you feel the need to encrypt the
> message? I remember (way to long ago) that it used to be quite common to include one
> version encrypted and one unencrypted so that the recipient can verify that the message
> has not been modified along the way.

Its not about 'encryption', but about 'authentication'.

The PGP signature just authenticates that the message was written by
myself, and not spoofed.

Now as mentioned by another poster, in order to actually verify that the
message was signed by myself, you would need a trusted source for my
key, which you don't have. However, this is why it is usefully to sign
all e-mail, and not just critical e-mail. Once you have seen a good
number of messages that appear to come from me, it is more likely that
the key is actually mine.

The one thing missing about PGP is a set of universally trusted keys,
like for example browsers come with a set of trusted SSL certificates.
So you need to establish trust in keys yourself (some people say that
this is an advantage). In particular Thawte's free certificate are
usually not verified well.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050810/4f5ca683/signature.bin


More information about the list mailing list