-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 24, 2007 at 11:37:09AM -0700, ptr wrote: > > Agree with the DNS poisoning, my form would need to be SSL'ed with my private > certificate. > > In terms of educating my recipients - yes, it may be tricky, that is > probably the weakest point of my concept, will need to think how to approach > it. > The solution should be both easy for the recipient, but also somehow > spam/hack proof. > Errrr... And when you think about it, if the user has to go to your site to validate the email, why not just put the message on your site in the first place?
> Just one more question: > What parameters are used to create the hash? well, apart the message itself > and my private key. That's it. As an example this email, signed by me, is using an inline PGP signature. The *only* thing included in the hash is what is between the START and END bits, that's it, no headers no nothing. I'm not positive, but I belive the MIME based PGP is pretty similar. Of course, this means that you can fake the headers without invalidating the signature... Of course, it's also why it's so trivial to handle, just feed the message to gpg --verify and check the result. Trivial. - -- http://petertodd.ca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGVd+B3bMhDbI9xWQRAr1HAJsEKu/CPZsz6JMTRiAHNx4GWQgTzgCgjkwo +wbmfNOugtlIIyoIKvxwEhU= =G6h6 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users