Agree with the DNS poisoning, my form would need to be SSL'ed with my private certificate.
In terms of educating my recipients - yes, it may be tricky, that is probably the weakest point of my concept, will need to think how to approach it. The solution should be both easy for the recipient, but also somehow spam/hack proof. Errrr... Just one more question: What parameters are used to create the hash? well, apart the message itself and my private key. Thanks Peter Peter Todd wrote: > > On Thu, May 24, 2007 at 10:29:11AM -0700, ptr wrote: >> >> I cannot "force" my recipients to install any PGP software so I was >> thinking >> about creating signature verification form on my website. If someone >> wanted >> to check if the email is really from me, he/she could paste the signed >> email >> part on the form, then the server-side script would verify that. >> >> I'm quite new to PGP, so correct me if I'm wrong and don't laugh too much >> :) >> ; would this be achievable? >> I know I'd need to have my public key accessible to the validation >> script. >> >> >> While writting this response I've actually stumbled across a page that I >> think does what I need (http://www.sin-online.nl/ds/) >> >> Actual coding of the script should be v.easy, I'm just not sure if the >> concept is correct. > > A big problem with the idea is what your telling your recipients, IE > that by going to a completely untrusted site you can somehow trust an > email. I suspect that a recipient with enough technical know how to > properly use such a verifier, IE type in the url themselves and make > sure the site is ssl encrypted with a trusted certificate, wouldn't find > it that much harder to simply install PGP software. > > For instance the page you mentioned is vulnerable to dns poisoning > attacks as it's not SSL encrypted. Theoretical? Sure, but forged email > messages aren't all that much less theoretical if your recipients know > how to look at headers. > > -- > http://petertodd.ca > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/easy-way-to-confirm-email-validity-tf3808131.html#a10789992 Sent from the GnuPG - User mailing list archive at Nabble.com. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
