[olug] quick pgp question

[K.J. Kirwan]

Actually, you are both right.  

I know S/Mime works this way, and I think GPG does too.  

A signed (but not "encrypted") email is *sent twice* in 
the same email, one after the other, first in plaintext, 
then encrypted with the senders' private key.  (But don't 
believe me, find one and "view message source" for yourself.)  

This results in a message which (in ordinary email clients) 
can still be read (proving nothing) and is followed by an 
equal amount of gibberish, which may or may not be supressed.  

A secure email client will get the sender's public key, 
decrypt the encrypted copy of the message, and compare the 
two copies against each other, looking for tampering.  If there 
are no differences between them, then the plaintext message is 
(1) unaltered, and (2) could only have been created by the sender.  

If the email is to be "signed and encrypted", then both copies of 
the same message get encrypted a *second time* but this time with 
the intended receiver's public key, resulting in a message that can 
only be read by the recipient, and could only have been created 
by the sender.  

If any of this is not so in GPG, please let me know, as I am 
planning to give GPG a try soon via Mozilla/Enigmail.  Thanks.  

Kim Kirwan

--
K.J. Kirwan     <kjk_elec at ix.netcom.com>


OBrien, Timothy (Omaha Linux Users Group - OLUG) wrote:
> <quote who="Tim - DZ">
> 
>>Pretty much.
>>
>>Signing and encrypting work much the same way, just depends on the key
>>used.
>>
>>Signing is basically encrypting with your private key, then anyone can
>>verify that it was you that signed but decrypting with your public key.
> 
> 
> Eh, no. Signing an email with your key does not encrypt the email - it
> only adds the information of your key so that the recipient can verify the
> sender as you.
> Encrypting the email uses a different key pair to encrypt the message, and
> adds your digital signature (normally - depending on your email client.)
>