-----BEGIN PGP SIGNED MESSAGE-----
In
<Pine(_dot_)WNT(_dot_)3(_dot_)95(_dot_)970910125211(_dot_)-160753C-100000(_at_)w(_dot_)ic-public(_dot_)utoronto(_dot_)ca>,
on 09/10/97
at 11:53 AM, <robert(_dot_)guerra(_at_)utoronto(_dot_)ca> said:
---------- Forwarded message ----------
With the advent of several different ways to encrypt & Sign pgp messages,
i'd like to know if it might be a good idea to specify a preffered
"method" which should be used in "answering" an encoded message.
An example (using pgp 5.0 & Eudora Plug-in):
1.A encrypts & signs a message with RSA and sends it to B.
2.B decodes the message, and writes a reply to A's message
3.When message is processed by eudora/pgp a problem arises....A has two
public keys..A RSA key and a DH/DSS key...which one should be used..?
(one can decide to use both keys, and leave it up to A to
decode...however A may "prefer" one method...)
Thus, if it would be possible to encorporate a "preferred
encrytion/signing method" then the selection of which key/encrytion
method might
be able to be done automatically...
I mentioned this a while ago to the folks at pgp, and would be interested
in hearing what the mailing list thinks...
I have something like this with my current PGP implementation.
Unfortunately it's not very automatic. My users have the ability to set a
default key for an e-mail address. This was neccessary as quite often one
will find multiple keys with the same e-mail address in the Userid's.
Automatic determining of how to sign a message is tricky.
- -- The simplest is just to use MD5/PGP2.6.x method of signing as everyone
regardless of version can verify these signatures.
- -- Use PGP/MIME and sign the message in parallel in both formats. This
will cause problems with those unable to verify PGP/MIME signatures.
- -- Clear sign the message using standard PGP 2.6.x format then PGP/MIME
sign the message using the PGP 5.0 key. This would give the user the
greatest flexibility but I am sure there will be a few that will squawk
over this. :)
- -- Lookup the receivers key and check and see what type it is then use a
corresponding signature format. Much more work involved here as it would
require communication with the servers for each signature. It also does
not address the issue of a receiver having both types of keys nor the
issue of signed messages going to a group of people.
The current situation of PGP 2.6.x/RSA/MD5 & PGP 5.0/DSS/SHA1 is a real
PITA. It has added quite a bit of complication to PGP integration efforts.
- --
- ---------------------------------------------------------------
William H. Geiger III http://www.amaranth.com/~whgiii
Geiger Consulting Cooking With Warp 4.0
Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html
- ---------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000
iQCVAwUBNBbURY9Co1n+aLhhAQG7jwP/S7gepuvz1ssAP88NjkdDkiBwxXbloE3B
5ESnTQjrHvoFNl0IsDBDK8tLPXIn25lA8/U5MPIpqgKnERj17bkWQdXcTxUADtyc
jbvj24fAgAm8gHDLr7Eptd4lxoWtk/gVtPsojkDOHVx/2x+K3d2CbjRi4kv3/YFZ
f9V6OkVKp88=
=YeiL
-----END PGP SIGNATURE-----