I just recently setup encrypted mail for my personal mail account,
using icedove and enigmail. I'm curious about a general feature of
"signing" the email. Why can't I just copy the "signature" portion of
the email, which many people on this list attach to their posts, and
paste it at the bottom of a fake email? Appreciate any comments or
links you may have.

Best,
AM


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTimh0BGCSIXX9G-y5XSV9Id3lQg-F8m5akXwwNCx@mail.gmail.com">http://lists.debian.org/AANLkTimh0BGCSIXX9G-y5XSV9Id3lQg-F8m5akXwwNCx@mail.gmail.com

On Fri, 2 Jul 2010 13:52:47 -0500
Arthur Machlas <arthur.machlas@gmail.com> wrote:

> I just recently setup encrypted mail for my personal mail account,
> using icedove and enigmail. I'm curious about a general feature of
> "signing" the email. Why can't I just copy the "signature" portion of
> the email, which many people on this list attach to their posts, and
> paste it at the bottom of a fake email? Appreciate any comments or
> links you may have.

Look at the signatures carefully. Each one, even from the same signer,
is different, and depends on the exact contents of the message. The
whole point of a signature is that if one is improperly attached to a
message, it won't match, and the mail reader or other client will
notice this.

Celejar
--
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100702151100.78d1b697.celejar@gmail.com">http://lists.debian.org/20100702151100.78d1b697.celejar@gmail.com

On Fri, Jul 2, 2010 at 2:11 PM, Celejar <celejar@gmail.com> wrote:
> On Fri, 2 Jul 2010 13:52:47 -0500
> Arthur Machlas <arthur.machlas@gmail.com> wrote:
>
>> I just recently setup encrypted mail for my personal mail account,
>> using icedove and enigmail. I'm curious about a general feature of
>> "signing" the email. Why can't I just copy the "signature" portion of
>> the email, which many people on this list attach to their posts, and
>> paste it at the bottom of a fake email? Appreciate any comments or
>> links you may have.
>
> Look at the signatures carefully. *Each one, even from the same signer,
> is different, and depends on the exact contents of the message. *The
> whole point of a signature is that if one is improperly attached to a
> message, it won't match, and the mail reader or other client will
> notice this.
>
> Celejar

Make abundant sense. And I assume they'd need my public key to verify
the signature?

Thanks Celejar


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTinffT_3NRLCKKoJKHHXhK4hvDq3Pw9Jk3Jx4Wu8@mail .gmail.com">http://lists.debian.org/AANLkTinffT_3NRLCKKoJKHHXhK4hvDq3Pw9Jk3Jx4Wu8@mail .gmail.com

On Fri, 2 Jul 2010 14:17:50 -0500
Arthur Machlas <arthur.machlas@gmail.com> wrote:

> On Fri, Jul 2, 2010 at 2:11 PM, Celejar <celejar@gmail.com> wrote:
> > On Fri, 2 Jul 2010 13:52:47 -0500
> > Arthur Machlas <arthur.machlas@gmail.com> wrote:
> >
> >> I just recently setup encrypted mail for my personal mail account,
> >> using icedove and enigmail. I'm curious about a general feature of
> >> "signing" the email. Why can't I just copy the "signature" portion of
> >> the email, which many people on this list attach to their posts, and
> >> paste it at the bottom of a fake email? Appreciate any comments or
> >> links you may have.
> >
> > Look at the signatures carefully. *Each one, even from the same signer,
> > is different, and depends on the exact contents of the message. *The
> > whole point of a signature is that if one is improperly attached to a
> > message, it won't match, and the mail reader or other client will
> > notice this.
> >
> > Celejar
>
> Make abundant sense. And I assume they'd need my public key to verify
> the signature?

Exactly. A mail client that receives a message signed by you
generally tries to look up your public key from a keyserver.

Celejar
--
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100702152738.8647475d.celejar@gmail.com">http://lists.debian.org/20100702152738.8647475d.celejar@gmail.com

On Fri, 2 Jul 2010 14:17:50 -0500
Arthur Machlas <arthur.machlas@gmail.com> wrote:

Hello Arthur,

> Make abundant sense. And I assume they'd need my public key to verify
> the signature?

Yes. Upload it to one of the (many) keyservers available for this
purpose, and they won't have to nag you for it.

However, before you upload your public key, make sure you generate a
revocation certificate for it. That way, if your key par ever do become
compromised, you can still revoke the public key and generate a new key
pair.

--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
I am alone there's nobody there
I Look Alone - Buzzcocks

On Fri, Jul 02, 2010 at 01:52:47PM -0500, Arthur Machlas wrote:
> I just recently setup encrypted mail for my personal mail account,
> using icedove and enigmail. I'm curious about a general feature of
> "signing" the email. Why can't I just copy the "signature" portion of
> the email, which many people on this list attach to their posts, and
> paste it at the bottom of a fake email? Appreciate any comments or
> links you may have.
Well, in previous replies all your questions were answered, so I decided to
provide a link which may help you to make digital signing and encryption more
clear to you. Here it is - "Gnu Privacy Guard (GnuPG) Mini Howto (English)"[1].

1. http://dewinter.com/gnupg_howto/english/GPGMiniHowto.html

--
Regards,
Alexander Batischev

1024D/69093C81
F870 A381 B5F5 D2A1 1B35 4D63 A1A7 1C77 6909 3C81

On 07/02/2010 12:52 PM, Arthur Machlas wrote:
> I just recently setup encrypted mail for my personal mail account,
> using icedove and enigmail. I'm curious about a general feature of
> "signing" the email. Why can't I just copy the "signature" portion of
> the email, which many people on this list attach to their posts, and
> paste it at the bottom of a fake email? Appreciate any comments or
> links you may have.

In a nutshell:

* The sender's PGP/GPG hashes the text of the message. Because every
message will be different, every hash from the text will be different.
* The sender's PGP/GPG then encrypts the hashed string using your
private key, and attaches the message to the mail as a "signature".

The mail is then sent, at which:

* The receiver's PGP/GPG uses the sender's public key to decrypt the
signature, to get to the hash.
* The receiver's PGP/GPG then re-hashes the email using the same
algorithm the sender uses.
* If the hashes match (the newly created hash, and the decrypted hash),
the signature is valid. If they don't match, the signature is invalid.

That's why you can't paste a single signature to every email you send.
It has to be generated every time.

--
. O . O . O . . O O . . . O .
. . O . O O O . O . O O . . O
O O O . O . . O O O O . O O O