Re: Secure mailing list service using OpenPGP

["William H. Geiger III" <whgiii@xxxxxxxxxxx>]

In <005901be49ae$b4cb1da0$cd683c81@xxxxxxxxxxxxxxxxxxxxxxx>, on 01/27/99 
   at 01:37 PM, " X c    G" <hiro@xxxxxxxxxxxxx> said:

>Another problem is comformance to OpenPGP/MIME specification proposed by
>K.Yamamoto[OpenPGP/MIME]. For example, if an original message is using
>'Encrypted-then-Signed' service, the current implementation replace the
>inner multipart/encrypted MIME object and this makes impossible to verify
>the signature in the outer multipart/signed MIME object.

>Currently, I don't have the solutions for these problems. I'm just
>starting to grapple with them. I will welcome to your comments.

Signature retention is a big issue that I have been involved with on both
the PGP/MIME and now the OpenPGP working groups. Basically there are two
ways to accomplish this:

NON-MIME Approach:

The original sender of the message clearsigns the message then encrypts
the message (a two step process). This way the server decrypts &
re-encrypts the message and the signature is retained.

MIME Approach:

The original sender OpenPGP/MIME signs the message then OpenPGP/MIME
encrypts the message (again a two step process).

Unfortunately few mailers/plugins are designed to use this approach when
singing & encrypting a message. Instead they use the sign & encrypt
approach (one step process) which signature retention is not possible
after decryption.


-- 
---------------------------------------------------------------
William H. Geiger III  http://www.openpgp.net
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
---------------------------------------------------------------