[Top] [All Lists]

Re: Secure mailing list service using OpenPGP

1999-01-26 23:28:43
 on 01/27/99 
   at 01:37 PM, " X c    G" <hiro(_at_)isl(_dot_)ntt(_dot_)co(_dot_)jp> said:

Another problem is comformance to OpenPGP/MIME specification proposed by
K.Yamamoto[OpenPGP/MIME]. For example, if an original message is using
'Encrypted-then-Signed' service, the current implementation replace the
inner multipart/encrypted MIME object and this makes impossible to verify
the signature in the outer multipart/signed MIME object.

Currently, I don't have the solutions for these problems. I'm just
starting to grapple with them. I will welcome to your comments.

Signature retention is a big issue that I have been involved with on both
the PGP/MIME and now the OpenPGP working groups. Basically there are two
ways to accomplish this:

NON-MIME Approach:

The original sender of the message clearsigns the message then encrypts
the message (a two step process). This way the server decrypts &
re-encrypts the message and the signature is retained.

MIME Approach:

The original sender OpenPGP/MIME signs the message then OpenPGP/MIME
encrypts the message (again a two step process).

Unfortunately few mailers/plugins are designed to use this approach when
singing & encrypting a message. Instead they use the sign & encrypt
approach (one step process) which signature retention is not possible
after decryption.

William H. Geiger III
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: