-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 20-11-2010 12:41, Gold IsMoney escribió: > Thank you for the quick reply. You're right - I didn't realize the > thing about signing since I usually don't use it. It makes perfect > sense though - so I know now that if I receive an encrypted e-mail from > a sender but it's only encrypted, not signed - all I know is that the > sender has access to the private key.. not necessarily the password. It > 'should' be the sender, but not necessarily.
No, no, he didn't have access to any private key, he just had access to YOUR public key. To encrypt a message, I need access to the public key of the recipient, and since it is public, anyone can have access to it without any security risk. To sign a message, I need access to my own private key. To check a signature issued by someone else, I need access to the public key of the sender. To decrypt a message, I need access to my private key. To "prove" a message comes from somebody, the message should have a signature, otherwise it can come from anybody with access to the sender's e-mail account. To prevent people from signing things with your key (or reading your encrypted messages), you need to use a good password (more likely, a passphrase), and don't leave your computer alone while the password is cached in memory (you can set a short amount of time for it to be remembered, or you can clean the cached password before leaving). To prevent people from sending messages using your e-mail address, you can either: 1.- Protect your windows account with a password, and never leave the computer with your session open. 2.- Don't let Thunderbird store your e-mail account password (so you would have to enter it manually each and every time you want to use the e-mail account... very inconvenient). 3.- Protect Thunderbird's password database with a Master Password, and close Thunderbird each time you leave the computer alone. Keep in mind that, according to OpenPGP point of view (if I understood it right), your identity is checked by your signature, not by the e-mail account used to send the message. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJM5/gSAAoJEMV4f6PvczxAqI4H+wZxm/4U4VDYEPRXDAKavhj/ VztDPQA74hJkzCiB8z6FL9zSDd4iluxM7Mu43WQcm88H81iGS7ZpK3636wBlFreS Xu2PBF2bGuEmLPpg9ataoDytQMBYMb15z6VPBmKKogPCKvH2TcuP/U7dUGs9iv3N Z+aR4vl/tEFSP2N6ehYWbs55nFu4tAKQJbzv65Qyo008/nCs0xWpDZmAwfxJNjkr RpMV8OHmKEPTts78qXb4wtKaYt3acfN/pHop9LO57RyApi3bP47Xdjy+E6mxQtnp s4CJI3xgFAHvFEMNrv351GkYKktAYqVUjYIRbqyYm69oR4ti+7Idv7v23OB4ox0= =s7A9 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
