-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At some point hitherto, Ben Reser hath spake thusly: > > If so, then if you had my key, and I knew you had someone else's key, > > and I knew that you depended only on checking the s or S, I could > > easily forge mail as the other person, and you'd think that it was > > signed by them, when in fact it was signed by me. > > No not if you wanted people to non-obviously think it was sent by them. > You see your email is the perfect example. Mutt did not show it as > authenticated. Even though GPG did. Why? Because your key didn't > match the email address you sent it from. > > From: "Derek D. Martin" <[EMAIL PROTECTED]> [SNIP] > gpg: Good signature from "Derek Martin <[EMAIL PROTECTED]>" > gpg: aka "Derek Martin <[EMAIL PROTECTED]>" [SNIP] > > 37 sL Jan 07 Derek D. Martin (1.9K) x x mq> > ^^ > Note the small s.
That's interesting. I didn't realize mutt would do that. Though in THIS case, it SHOULD match, and should be considered verified by mutt. Note that the only difference between the e-mail address in my key and the e-mail address I sent the mail from is the "+mutt" detail, which is essentially a comment and does not affect mail delivery, as specified by RFC 822. I believe this is a bug. It should, in this case and IMO, report a positive signature verification. - -- Derek Martin [EMAIL PROTECTED] - --------------------------------------------- I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8Ow3fdjdlQoHP510RAh/8AKCjduMhvG5xABMYjBL74jf4Df3vqgCfbcIM 69kdIjsidLplUYzwd+BpFoM= =Hnvp -----END PGP SIGNATURE-----
