Re: [ilugd] Mail authentication
On Thursday 11 Sep 2008, Anupam Jain wrote: On Thu, Sep 11, 2008 at 10:31 AM, Raj Mathur [EMAIL PROTECTED] wrote: Let's pray to whatever Gods or Chaos or Probability we believe in that they never do. GPG/PGP on a web-mail service is an oxymoron -- the whole point of personal privacy is lost if you're delegating signing and/or verification to some III-party. Yes but a *mutually trusted* third party. ...and that mutually trusted III-party would be? Will you trust the people I do, and will I trust the people you do? In general, the objective of GPG is to provide end-users with the ability to encrypt and sign their messages themselves. If you want to delegate some part of that trust to another entity probably the best thing to do is use certificates from one of the many certificate shops on the 'net. Remember the Bad Old Days when top executives and bureaucrats used to have their secretaries reading their mail? Do we have secretaries encrypting and validating mails with GPG keys now? :) Regards, -- Raju -- Raj Mathur[EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance Chill: http://schizoid.in/ || It is the mind that moves ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Raj Mathur wrote: Let's pray to whatever Gods or Chaos or Probability we believe in that they never do. GPG/PGP on a web-mail service is an oxymoron -- the whole point of personal privacy is lost if you're delegating signing and/or verification to some III-party. And that is why this comes from T-bird MUA. Needs a little getting used to. - -- Sudev Barar -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIyMlULwOWaWW0MJYRAmDkAJwNgJ1/E1VVkLLnJ3F0i28yIUamxgCeMLjl vynTLVmI43k8vwfNxQuRgwk= =qLw7 -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
[ilugd] Mail authentication
How can I show / prove that the copy of email shown by some one is not tampered with when compared to original email? Scenario - A sent an email to a B and D. B has tampered with the text of email and forwarded to C. C comes to D with a print copy of email from B. How can D show C that the original email by A and forwarded email by C are modified. D has shown C the original from A but C is not convinced and is casting aspersion on A and D of showing tampered emails. In similar scenario how does pgp signed mail proves the case except show genuineness of senders signatures? Sorry if this is something so simple that I am missing the obvious. -- Regards, Sudev Barar Read http://blog.sudev.in for topics ranging from here to there. PS: I know most of people do not follow email niceties (mostly they are not aware) but if you follow bottom post/in-line post style of email conversations it becomes a whole lot easier to carry on meaningful dialogue and you can snip out what is not meaningful too. Most people just hit reply button and top post leaving prior message appended uselessly at bottom. See if you can adopt this style and persuade others. In case you are already doing this . great, spread the message. ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sudev Barar writes: How can I show / prove that the copy of email shown by some one is not tampered with when compared to original email? Scenario - A sent an email to a B and D. B has tampered with the text of email and forwarded to C. C comes to D with a print copy of email from B. How can D show C that the original email by A and forwarded email by C are modified. D has shown C the original from A but C is not convinced and is casting aspersion on A and D of showing tampered emails. I don't think it is possible unless, domainkeys or something similar authentication mechanism is in use B has forwarded complete mail (including all headers) to C, then you can compare the DomainKeys headers (or other mechanism's stuff) in both the mails. In similar scenario how does pgp signed mail proves the case except show genuineness of senders signatures? If message is tampered with, the signature verfication process will fail. HTH - -- ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- () ascii ribbon campaign - against HTML e-mail /\ www.asciiribbon.org - against proprietary attachments -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkjHkNYACgkQHy+EEHYuXnQvLgCeOHlTKeSWmbCkLsC5WQ6nc2YT 0a4AnjsxP0At5AHvqTH1fY9g7aFqZXX7 =eRSC -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
On 9/10/08, Sudev Barar [EMAIL PROTECTED] wrote: How can I show / prove that the copy of email shown by some one is not tampered with when compared to original email? Scenario - A sent an email to a B and D. B has tampered with the text of email and forwarded to C. C comes to D with a print copy of email from B. How can D show C that the original email by A and forwarded email by C are modified. D has shown C the original from A but C is not convinced and is casting aspersion on A and D of showing tampered emails. In similar scenario how does pgp signed mail proves the case except show genuineness of senders signatures? Sorry if this is something so simple that I am missing the obvious. How about a central place where the sender puts up the md5sum of the sent mail? ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
Scenario - A sent an email to a B and D. B has tampered with the text of email and forwarded to C. C comes to D with a print copy of email from B. How can D show C that the original email by A and forwarded email by C are modified. D has shown C the original from A but C is not convinced and is casting aspersion on A and D of showing tampered emails. A basic check that I will do is - get full mail headers of mail sent to D and of that sent to C, read headers from bottom to up to find the discrepancy. -N Unlimited freedom, unlimited storage. Get it now, on http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html/ ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In [EMAIL PROTECTED], Nishant Sharma wrote: Scenario - A sent an email to a B and D. B has tampered with the text of email and forwarded to C. C comes to D with a print copy of email from B. How can D show C that the original email by A and forwarded email by C are modified. D has shown C the original from A but C is not convinced and is casting aspersion on A and D of showing tampered emails. A basic check that I will do is - get full mail headers of mail sent to D and of that sent to C, read headers from bottom to up to find the discrepancy. Don't you think in that case, the result will be negative, since mail header in mail sent to D != mail sent to C because, both the mails are originating from different sources. Ashish - -- ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- () ascii ribbon campaign - against HTML e-mail /\ www.asciiribbon.org - against proprietary attachments -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkjIFOMACgkQHy+EEHYuXnRDgwCePLVQhruVzFTF5OKrIDs2tUVS ihYAoMooWNu00N7ll4CQ88p9YtilFsJ4 =xdTZ -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
2008/9/11 आशीष शुक्ल Ashish Shukla [EMAIL PROTECTED]: but C is not convinced and is casting aspersion on A and D of showing tampered emails. A basic check that I will do is - get full mail headers of mail sent to D and of that sent to C, read headers from bottom to up to find the discrepancy. Don't you think in that case, the result will be negative, since mail header in mail sent to D != mail sent to C because, both the mails are originating from different sources. Exactly the problem. And D does not have access to machines of A or B. Only original email of A sent to him and B and access to C. How does pgp signature generate hash and is there something out there which could be fed in given text and public key of A to generate hash and compare it with hash appearing on the emaiil copy or C as forwarded by B? -- Regards, Sudev Barar Read http://blog.sudev.in for topics ranging from here to there. PS: I know most of people do not follow email niceties (mostly they are not aware) but if you follow bottom post/in-line post style of email conversations it becomes a whole lot easier to carry on meaningful dialogue and you can snip out what is not meaningful too. Most people just hit reply button and top post leaving prior message appended uselessly at bottom. See if you can adopt this style and persuade others. In case you are already doing this . great, spread the message. ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
2008/9/11 Raj Mathur [EMAIL PROTECTED]: On Thursday 11 Sep 2008, Sudev Barar wrote: [snip] How does pgp signature generate hash and is there something out there which could be fed in given text and public key of A to generate hash and compare it with hash appearing on the emaiil copy or C as forwarded by B? If your mail program supports GPG/PGP (as most modern MUAs do), it will verify the hashes and signatures automatically. You don't need to start doing the hashing and verifying the signatures manually. Yep thunderbird/evolution support and verify signatures and hash automatically BUT on mails that are received by me. However in this scenario I am trying to make verification of message from two sources that are different. I want to prove that one of them is showing false output. All I have is original senders public key. -- Regards, Sudev Barar Read http://blog.sudev.in for topics ranging from here to there. PS: I know most of people do not follow email niceties (mostly they are not aware) but if you follow bottom post/in-line post style of email conversations it becomes a whole lot easier to carry on meaningful dialogue and you can snip out what is not meaningful too. Most people just hit reply button and top post leaving prior message appended uselessly at bottom. See if you can adopt this style and persuade others. In case you are already doing this . great, spread the message. ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In [EMAIL PROTECTED], Sudev Barar wrote: 2008/9/11 आशीष शुक्ल Ashish Shukla [EMAIL PROTECTED]: but C is not convinced and is casting aspersion on A and D of showing tampered emails. A basic check that I will do is - get full mail headers of mail sent to D and of that sent to C, read headers from bottom to up to find the discrepancy. Don't you think in that case, the result will be negative, since mail header in mail sent to D != mail sent to C because, both the mails are originating from different sources. Exactly the problem. And D does not have access to machines of A or B. Only original email of A sent to him and B and access to C. How does pgp signature generate hash and is there something out there which could be fed in given text and public key of A to generate hash and compare it with hash appearing on the emaiil copy or C as forwarded by B? Good time to start using PGP :). Lets have a key-signing party this software freedom day :). Ashish - -- ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- () ascii ribbon campaign - against HTML e-mail /\ www.asciiribbon.org - against proprietary attachments -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkjIm4IACgkQHy+EEHYuXnQ1fQCfZQVF/6///+mNONQp/fSO5RLM VHQAoKe6ETfTN0+HpQKoEXWmWbCfVdUY =AQdI -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
2008/9/11 आशीष शुक्ल Ashish Shukla [EMAIL PROTECTED]: How does pgp signature generate hash and is there something out there which could be fed in given text and public key of A to generate hash and compare it with hash appearing on the emaiil copy or C as forwarded by B? Good time to start using PGP :). Lets have a key-signing party this software freedom day :). Yes. But I am using gmail for list work and that does not (yet?) support signing. Better that I move to using MUA for all mails. -- Regards, Sudev Barar Read http://blog.sudev.in for topics ranging from here to there. PS: I know most of people do not follow email niceties (mostly they are not aware) but if you follow bottom post/in-line post style of email conversations it becomes a whole lot easier to carry on meaningful dialogue and you can snip out what is not meaningful too. Most people just hit reply button and top post leaving prior message appended uselessly at bottom. See if you can adopt this style and persuade others. In case you are already doing this . great, spread the message. ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sudev Barar wrote: Good time to start using PGP :). Lets have a key-signing party this software freedom day :). Yes. But I am using gmail for list work and that does not (yet?) support signing. Better that I move to using MUA for all mails. So like this. - -- Sudev Barar -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIyJ2RLwOWaWW0MJYRAhhTAJ93yOe2KdIGMS/o30VAVR00+0smqwCeOXe6 fTHKeEljq7I4JMkxivDhSlo= =HiHs -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In [EMAIL PROTECTED], Sudev Barar wrote: 2008/9/11 आशीष शुक्ल Ashish Shukla [EMAIL PROTECTED]: How does pgp signature generate hash and is there something out there which could be fed in given text and public key of A to generate hash and compare it with hash appearing on the emaiil copy or C as forwarded by B? Good time to start using PGP :). Lets have a key-signing party this software freedom day :). Yes. But I am using gmail for list work and that does not (yet?) support signing. Better that I move to using MUA for all mails. /me points sudev to http://getfiregpg.org/install.html Well, that has only support for inline PGP atm, and this list doesn't like MIME attachements :). HTH - -- ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- () ascii ribbon campaign - against HTML e-mail /\ www.asciiribbon.org - against proprietary attachments -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkjIndQACgkQHy+EEHYuXnQBwACfe8Qm4ehU3/CPuvv+WLH+Gsu/ dRcAn0UzEzeYvZf2JFxh+5FvatVusd1F =MtlR -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
On Thursday 11 Sep 2008, Sudev Barar wrote: 2008/9/11 Raj Mathur [EMAIL PROTECTED]: If your mail program supports GPG/PGP (as most modern MUAs do), it will verify the hashes and signatures automatically. You don't need to start doing the hashing and verifying the signatures manually. Yep thunderbird/evolution support and verify signatures and hash automatically BUT on mails that are received by me. However in this scenario I am trying to make verification of message from two sources that are different. I want to prove that one of them is showing false output. All I have is original senders public key. Copy each of the messages into, say, /tmp/msg1.txt and /tmp/msg2.txt . gpg --verify /tmp/msg1.txt gpg --verify /tmp/msg2.txt This will work if the mails are signed inline (signature is part of mail). If the mails have a detached signature (as an attachment), then you'll have to pull out the text and the signature parts into separate files (msg1, msg1.sig, msg2, msg2.sig e.g.). Then: gpg --verify msg1.sig msg1 gpg --verify msg2.sig msg2 or something along those lines. Regards, -- Raju -- Raj Mathur[EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance Chill: http://schizoid.in/ || It is the mind that moves ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ? Ashish Shukla wrote: /me points sudev to http://getfiregpg.org/install.html Well, that has only support for inline PGP atm, and this list doesn't like MIME attachements :). Thanks. And Ashish, this is what I get on your signature verification/download from public key server: Error - signature verification failed gpg command line and output: /usr/bin/gpg --charset utf8 --batch --no-tty --status-fd 2 -d gpg: Signature made Thursday 11 September 2008 09:55:56 AM IST using DSA key ID 762E5E74 gpg: BAD signature from Ashish Shukla (My locally hosted mailbox) [EMAIL PROTECTED] - -- Sudev Barar -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIyKLzLwOWaWW0MJYRAh/qAKCBNcO9OSaj7nD2KELvDn3Z0QrvGwCfWybX T8fUox+J+9Ba1djhfgFvZBQ= =PvpP -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
On Thursday 11 Sep 2008, Sudev Barar wrote: 2008/9/11 आशीष शुक्ल Ashish Shukla [EMAIL PROTECTED]: Good time to start using PGP :). Lets have a key-signing party this software freedom day :). Yes. But I am using gmail for list work and that does not (yet?) support signing. Better that I move to using MUA for all mails. Let's pray to whatever Gods or Chaos or Probability we believe in that they never do. GPG/PGP on a web-mail service is an oxymoron -- the whole point of personal privacy is lost if you're delegating signing and/or verification to some III-party. Regards, -- Raju -- Raj Mathur[EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance Chill: http://schizoid.in/ || It is the mind that moves ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
On Thu, Sep 11, 2008 at 10:31 AM, Raj Mathur [EMAIL PROTECTED] wrote: On Thursday 11 Sep 2008, Sudev Barar wrote: 2008/9/11 आशीष शुक्ल Ashish Shukla [EMAIL PROTECTED]: Good time to start using PGP :). Lets have a key-signing party this software freedom day :). Yes. But I am using gmail for list work and that does not (yet?) support signing. Better that I move to using MUA for all mails. Let's pray to whatever Gods or Chaos or Probability we believe in that they never do. GPG/PGP on a web-mail service is an oxymoron -- the whole point of personal privacy is lost if you're delegating signing and/or verification to some III-party. Yes but a *mutually trusted* third party. -- Anupam ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Mail authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In [EMAIL PROTECTED], Sudev Barar wrote: ? Ashish Shukla wrote: /me points sudev to http://getfiregpg.org/install.html Well, that has only support for inline PGP atm, and this list doesn't like MIME attachements :). Thanks. And Ashish, this is what I get on your signature verification/download from public key server: Error - signature verification failed gpg command line and output: /usr/bin/gpg --charset utf8 --batch --no-tty --status-fd 2 -d gpg: Signature made Thursday 11 September 2008 09:55:56 AM IST using DSA key ID 762E5E74 gpg: BAD signature from Ashish Shukla (My locally hosted mailbox) [EMAIL PROTECTED] Use a sane MUA, Gnus[1], Kmail[2] or mutt[3] (which sucks less). Thunderbird sucks :( . References: [1] - http://www.gnus.org/ [2] - http://kontact.kde.org/kmail/ [3] - http://www.mutt.org/ Ashish Shukla - -- ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- () ascii ribbon campaign - against HTML e-mail /\ www.asciiribbon.org - against proprietary attachments -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkjIseoACgkQHy+EEHYuXnSYoACfYZ//GGW45ShB02AAdiivLocm FnYAoK40q5N0He9k+/Cfi1OuNgrrt7RE =wXs0 -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/