Re: PGP encrypted email - basic questions

["Jeffrey F. Bloss" <jbloss () tampabay rr com>]

Dave Moore wrote:

> Hello all-
>
> I'm trying to get started with PGP and there are some concepts I am
> having trouble with.
>
> I understand that a recipient of a PGP signed/encrypted message will
> have to get my public key to decrypt said message. What I don't

Not exactly. To verify a signed message they will need your public key.
To decrypt an encrypted message they don't necessarily have to know
anything about you at all. However you need their public key to encrypt
a message to them.

Signing and encryption are (or can be) two completely different
processes. As far as which key component is used, public or private,
you can think of the two processes as mirror images of each other.
Signing uses your private key to create something that can only be
"unlocked" by your public key. Encryption on the other hand creates
something using the public key component, which can only be "unlocked
by the private key.

> understand is how this is carried out in a seemingly automatic fashion
> for many of the email messages I receive, e.g. postings from mailing
> lists, in which I see the 'BEGIN PGP SIGNED.. ' and the signature at
> the end. I didn't decrypt these messages, and I have no idea how they
> got decrypted.

They didn't. They were sent out exactly the way you see them. What
you're seeing is a process called "clear signing", where a text is
wrapped in an "envelope" that can be used to determine if anything
between the BEGIN and the signature has been changed. The text itself
is meant to be readable by everyone. The signature is there mainly to
prove message integrity, and with proper key management, authorship.

> When I encrypt a message and send it to myself, the message I see is
> decidedly not decrypted. I did notice this header..
>
> OpenPGP: id=5847D5CF;
> url=http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=get&search=0x5847D5CF
>
> in the outgoing encrypted test message I sent, which leads me to
> suspect that it might have something to do with this process, but
> still, my message is not decrypted.

This is probably an option in your mail client configuration. I'm not
familiar with anything that inserts the above headers specifically (I
use GnuPG in a GNU/Linux environment), but they appear to be some sort
of "convenience" header. Not absolutely necessary for normal operation,
but nice to have around.

PGP itself can be configured to automatically check public servers such
as the one in the url above if it sees messages signed by keys not
already on your keyring. I believe it can also search out and download
keys if you tell it to encrypt something to a missing key. GnuPG does
this anyway. If you find and set the option in your mail client that
says something like "automatically check signatures" and configure PGP
to "automatically retrieve keys", it could very well be that PGP uses
the above information to collect missing public keys for you. Someone
else may know more on this.

-- 
     _?_      Outside of a dog, a book is a man's best friend.
    (o o)         Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
    grok!              Registered Linux user #402208

Attachment: signature.asc
Description: