[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Robin Cornelius wrote: > > I'm willing to give things a go but a bit short of time at the moment. I > might have a quick look at this its an interesting idea and I can see > the benefits for people stuck with various propriety email systems etc. > If the server had an SSL certificate then this should increase the trust > level. Doomed -- the certificate just says we trust the server to be who it is (and hopefully not recently hacked!). The server can at best validate that the signed message is well formed and has a valid signature (it is hard to get the content properly out of mail clients that don't handle PGP/MIME correctly in the first place). A well formed and valid signature doesn't mean anything other than the software that signed the email is working correctly, it conveys no confidence in the senders identity. Without joining the web of trust - this signature is pretty much useless to you except to establish a pseudonym, and that would require the webserver be stateful, and identify when the signature is the same, but what happens when the signature expires and is replaced?! I'd go with the "it is a digital signature, which like a normal signature acts as legal proof I wrote the email - any modern email client with support for the PGP/MIME would be able to check it". And send them to "getthunderbird.com" (or other preferred email client) if they say their email client doesn't support it nicely. Any mail client that displays it as a file attachment is so out of date as to not be worth using IMHO, it is "inline", and a standard that is 11 years old, at the very least it should display the ASCII, or hide the signature entirely. -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html