| Jeff Abrahamson on Thu, 4 Sep 2003 08:43:47 -0400 |
|
I received an encrypted and signed email which I decrypt and verify by piping through gpg (no options). The output looked like below (the part indented by two spaces). In mutt, I type "|gpg<return>" Now, I don't suspect Erin was trying to spoof me, and she had enclosed a semi-random string that I had encrypted to her. So this one case doesn't bother me. But, in general, how can I distinguish between the end of the encrypted message and the beginning of the "gpg: Signature ..." stuff? Couldn't someone just include such a (forged) signature block at the end of their message, then encrypt the whole thing without signing, and so convince me that the message was signed by someone else? You need a passphrase to unlock the secret key for user: "Jeff Abrahamson <jeff@purple.com>" 2048-bit ELG-E key, ID 29595FCD, created 2002-05-02 (main key ID 0D1DAE4B) gpg: encrypted with 2048-bit ELG-E key, ID ADD31B0A, created 2003-08-28 "Erin Mulder <meara@alumni.princeton.edu>" gpg: encrypted with 2048-bit ELG-E key, ID 29595FCD, created 2002-05-02 "Jeff Abrahamson <jeff@purple.com>" Hi Jeff, It was great meeting you all. Thanks for signing my key. Cheers, Erin Jeff Abrahamson wrote: > Hi, Erin. > > Could you please respond to this message, signed and encrypted, so > that I know you are who you say you are? > > Here's a semi-random string to include in your response: > > 153758709bcbdfc23f745c0b4656939632cfb6df > > Thanks. > gpg: Signature made Thu 04 Sep 2003 12:15:32 AM EDT using DSA key ID A54DA2DF gpg: Good signature from "Erin Mulder <meara@alumni.princeton.edu>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8609 5F8C E335 F93F 40CC 14B8 10FA 4C88 A54D A2DF -- Jeff Jeff Abrahamson <http://www.purple.com/jeff/> GPG fingerprint: 1A1A BA95 D082 A558 A276 63C6 16BF 8C4C 0D1D AE4B Attachment:
pgpvJDNBrTHoP.pgp
|
|