On Thu, May 24, 2007 at 10:29:11AM -0700, ptr wrote: > > I cannot "force" my recipients to install any PGP software so I was thinking > about creating signature verification form on my website. If someone wanted > to check if the email is really from me, he/she could paste the signed email > part on the form, then the server-side script would verify that. > > I'm quite new to PGP, so correct me if I'm wrong and don't laugh too much :) > ; would this be achievable? > I know I'd need to have my public key accessible to the validation script. > > > While writting this response I've actually stumbled across a page that I > think does what I need (http://www.sin-online.nl/ds/) > > Actual coding of the script should be v.easy, I'm just not sure if the > concept is correct.
A big problem with the idea is what your telling your recipients, IE that by going to a completely untrusted site you can somehow trust an email. I suspect that a recipient with enough technical know how to properly use such a verifier, IE type in the url themselves and make sure the site is ssl encrypted with a trusted certificate, wouldn't find it that much harder to simply install PGP software. For instance the page you mentioned is vulnerable to dns poisoning attacks as it's not SSL encrypted. Theoretical? Sure, but forged email messages aren't all that much less theoretical if your recipients know how to look at headers. -- http://petertodd.ca
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
