Security Basics mailing list archives

RE: PGP encrypted email - basic questions

From: "Bass, Mike B [CCC-OT_IT]" <mike.b.bass () citigroup com>
Date: Tue, 2 Jan 2007 14:56:23 -0500

While we are on the subject, could someone reply to this message and
sign it with smime? I need to test something. Thanks.

Mike

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Thomas D.
Sent: Saturday, December 30, 2006 7:03 AM
To: security-basics () securityfocus com
Subject: RE: PGP encrypted email - basic questions

Dave asked on Friday, December 29, 2006 4:01 PM:

I understand that a recipient of a PGP signed/encrypted message will
have to get my public key to decrypt said message.


Your recipient needs your public key to check the signature, but only
with your public key he/she isn't able to decrypt the encrypted message,
because in the moment you send that mail, you have to decide who should
be able to read this mail, because you will only encrypt this message
with those public keys (don't forget your own key, if you want to be
able to read this mail in your "send messages" folder).

What I don't
understand is how this is carried out in a seemingly automatic fashion
for many of the email messages I receive, e.g. postings from mailing
lists, in which I see the 'BEGIN PGP SIGNED.. ' and the signature at
the end.


You can sign every mail, you are sending. This can be done automatically
using a pgp-relay service or many pgp plugins like Enigmail offers these
functionality.

As I said before, If the recipient wants to validate this signature,
he/she needs your public key.
This is the reason, why you can do this without any user interaction
while sending.

If you want do encrypt your message your are sending, you need the
public key from the recipient, you are sending this message to. Many PGP
applications offers functions to search automatically for those keys.

But keep in mind:
One of the basic idea behind PGP is the TRUST. If you download a key
automatically to encrypt the message for this recipient, you don't
really know if you have his/her key or if it probably a key from a bad
guy, spoofing to be your recipient :)

Current thread:

Re: PGP encrypted email - basic questions, (continued)
- Re: PGP encrypted email - basic questions Kevin Wilcox (Jan 02)
- Re: PGP encrypted email - basic questions levinson_k (Jan 02)
- Re: PGP encrypted email - basic questions Jeffrey F. Bloss (Jan 02)
- Re: PGP encrypted email - basic questions Tsu (Jan 02)
- Re: PGP encrypted email - basic questions Ansgar -59cobalt- Wiechers (Jan 02)
- Re: PGP encrypted email - basic questions Gouki (Jan 02)
- Re: PGP encrypted email - basic questions Timothy Pollard (Jan 02)
- Re: PGP encrypted email - basic questions Aaron Howell (Jan 02)
- RE: PGP encrypted email - basic questions Thomas D. (Jan 02)
- Re: PGP encrypted email - basic questions fabio983 (Jan 02)
- RE: PGP encrypted email - basic questions Bass, Mike B [CCC-OT_IT] (Jan 02)