[Piet van Oostrum] > >>>>> Alessandro Bottoni <[EMAIL PROTECTED]> (AB) wrote:
> >AB> Of course, I want to be sure that only the allowed people is > >AB> able to send such dangerous messages to my server so I will ask > >AB> my users to encrypt and digitally sign their messages using > >AB> Thunderbird, Enigmail and GPG ... > What benefit is there in encrypting the messages? It would only > prevent people intercepting the message from seeing what's inside, but > it won't give you any additional protection on the server. Whenever a message contains sensitive information, it is a good idea to crypt it. Humans, and not only computers, may be harmful! :-) There are cases where information may not leak, when it vehicles private information about people. Companies also have industrial secrets. The mere fact that two people are communicating is often a secret in itself. > And if somebody can intercept the messages there is a much bigger danger: > They could save the message and replay it later. You can't protect against > this with encryption (well, with encryption they won't know what they > are doing). Neither with a digital signature. Protection against replay is easily guaranteed by sequencing requests, that is, including a sequence number within the message, each originator his sequence. A digital signature prevents someone from tampering with the sequence number without being detected. -- François Pinard http://pinard.progiciels-bpi.ca -- http://mail.python.org/mailman/listinfo/python-list