[plug] PGP Sign messages

Padraig MacIain draoidh at iinet.net.au
Tue Sep 21 18:04:00 WST 2004


On Tue, Sep 21, 2004 at 05:36:00PM +0800, Tim White wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> As some of you may  have noticed my messages are now signed using PGP
> (Curtesty of Enigmail)
> I believe that public keys should be uploaded to a server so that
> people can verfy your message. I am wondering what servers people on
> PLUG use and how to upload my own key to servers.

generally the best way to deal with it is upload your public key to a keyserver 
(there are a few networked ones around the world) and then publish your 
keyid / fingerprint in your .sig line and other such places. This way
anyone that wishes to verify your signatures (see below) or wants to send
you an encrypted email just needs to contact a keyserver download said
key (based on key id) and then check its fingerprint against the supplied
fingerprint (this is to prevent man-in-the-middle type attacks).

> Also how does PGP work? Does it create an encrypted hash for the message
> or something? Ie. what is to stop somebody from copying the hash and
> replacing the message?

the hash is generated by the private-key of the keypair. Its a key that is
controlled by the 'owner' of it and never seen by anyone else. The hash
is verified by the public key.

> Thanks
> Tim
> p.s. Also, is there any real benifit to signing messages?

technically it is there to show that the content of the email is the same 
as when it left the original machine. it can be weakly used to verify
the sender by that is primarily a by-product of the function, most 
usefully its to show that a message hasn't been altered since being
signed.


-- 
Peter Crystal
url:		http://www.bur.st/~darke/
email:		 draoidh at iinet.net.au



More information about the plug mailing list