Re: PGP encrypted email - basic questions

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2006-12-29 Dave Moore wrote:
> I'm trying to get started with PGP and there are some concepts I am
> having trouble with.
>
> I understand that a recipient of a PGP signed/encrypted message will
> have to get my public key to decrypt said message.

No. The recipient of your message will have to get your public key to
verify your signature of the message. If you want to encrypt the message
you will have to get the recipients public key.

You sign a message with your private key.
The recipient verifies the signature with your public key.

You encrypt a message with the recipient's public key.
The recipient decrypts the message with his private key.

Because the private keys always remain with their respective owners this
guarantees the integrity of a signature (only the original sender has
the private key to create the signature) as well as the confidentiality
of the encrypted message (nobody but the intended recipient has the
private key to decrypt the message).

> What I don't understand is how this is carried out in a seemingly
> automatic fashion for many of the email messages I receive, e.g.
> postings from mailing lists, in which I see the 'BEGIN PGP SIGNED.. '
> and the signature at the end. I didn't decrypt these messages, and I
> have no idea how they got decrypted.

It's not encrypted, see above.

Whether a key not in your keyring is automatically fetched from a key
server is a matter of configuration.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq