From owner-freebsd-questions Tue Aug 7 7: 6:36 2001 Delivered-To: freebsd-questions@freebsd.org Received: from stelesys.com (www.stelesys.com [208.177.187.226]) by hub.freebsd.org (Postfix) with ESMTP id E1B8A37B401 for ; Tue, 7 Aug 2001 07:06:28 -0700 (PDT) (envelope-from jerry@stelesys.com) Received: from jbell (dhcp-247.bellnetworks.net [208.177.187.247] (may be forged)) (authenticated) by stelesys.com (8.11.3/8.11.2) with ESMTP id f77E8PY07617; Tue, 7 Aug 2001 10:08:25 -0400 (EDT) (envelope-from jerry@stelesys.com) Message-ID: <001c01c11f4a$846ea810$f7bbb1d0@jbell> From: "Jerry Bell" To: "parv" , "f-q" References: <20010807023118.A47821@moo.holy.cow> Subject: Re: how is mail secure when only signed? Date: Tue, 7 Aug 2001 10:09:04 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Filter-Version: 1.3 (www.stelesys.com) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG signed email isn't "more secure" per se, but it does give the recipient an assurance that whoever is claiming to be the sender actually sent the message. If I send you my public key through some means (directly, through a key server, or whatever), then 'sign' my email which means that I basically encrypt a fingerprint of the email I sent with my private key, your browser creates the same fingerprint based on the email, decrypts your 'signature' with the known public key, and does a comparison. If they don't match, then someone's trying to portray someone they're not, or their keys are messed up. That's a pretty simplistic view and I'm sure there are other intricacies, but as you can see, it doesn't really keep unauthorized person from reading your email. Jerry http://www.syslog.org ----- Original Message ----- From: "parv" To: "f-q" Sent: Tuesday, August 07, 2001 2:31 AM Subject: how is mail secure when only signed? > i am curious as why would some people, thus software, would consider a > plain text mail which is only signed, not encrypted, w/ public key of > some encryption scheme as secure? i mean what's stopping alice to use > bob's public key to sign her mail to dupe the receiver as if mail is > from bob? > > in other words, if public key signature is used to mark mail secure, > not to actually encrypt, how could the source/owner of public key be > verified? > > > -- > so, do you like word games or scrabble? > - parv > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message