-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At some point hitherto, Justin R. Miller hath spake thusly: > Thus spake Derek D. Martin ([EMAIL PROTECTED]): > > > > The "s" in the index is sufficient for me if I want to know if a > > > message is signed. > > > > Perhaps, but it's not enough to tell you if the message was signed by > > the person it clamed to be signed by. > > It changes from 's' to 'S' upon verification.
Perhaps, but unless I misunderstand how mutt verifies the signature, even that isn't an indication that the mail was signed by the person the e-mail claims to be from. AFAIU, it is only an indication that the signature was verified as being made by a key that's in your keyring. Only the gpg/PGP output will identify who actually signed the mail. Is that not so? If so, then if you had my key, and I knew you had someone else's key, and I knew that you depended only on checking the s or S, I could easily forge mail as the other person, and you'd think that it was signed by them, when in fact it was signed by me. I can guarantee you that, if that were the case (more specifically that if the message showed as S without any indication that it was signed by the person mentioned in the From: header), you'd be seeing a posting about it on bugtraq. I'd probably post it myself... Remember, the point of signing a message is to prove, as conclusively as possible, that the e-mail originated from whence it claimed to have originated. - -- Derek Martin [EMAIL PROTECTED] - --------------------------------------------- I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8OjqCdjdlQoHP510RAjupAJ42Fs7+1xHVL2LD0S72uBZQ4GDZugCfdurk LJwpgkb+qXl/uvsne1QBhpE= =RPrq -----END PGP SIGNATURE-----