Canonical methods for digitally signing and verifying

Canonical methods for digitally signing and verifying

[Lloyd Zusman]

I've been following the discussions here concerning the capabilities
of digitally signing and verifying messages via gnus, but I have to
admit that with all that, the exact methods for performing these
functions under gnus are still hazy to me.

Could someone post (or email me privately) the canonical methods for
performing the following functions in gnus (the latest CVS version).
I'm looking for function names, variable settings, customization
settings, and so forth.  Or if this is clearly documented somewhere,
I'd be happy with pointers to this documentation.  The things
I'm interested in are how to ...

(1) ... digitally sign outgoing email via gpg.

(2) ... digitally encrypt outgoing email via gpg.

(3) ... verify digitally signed incoming email.

(4) ... decrypt incoming email that was encrypted either via pgp or
    gpg.


Thank you very much in advance.


-- 
 Lloyd Zusman
 ljz@asfast.com

Re: Canonical methods for digitally signing and verifying

[Kai Großjohann]

On 15 Dec 2000, Lloyd Zusman wrote:

> (1) ... digitally sign outgoing email via gpg.
> (2) ... digitally encrypt outgoing email via gpg.

In the message buffer, the MML menu has a Security submenu.  Just look
up the right functions.

> (3) ... verify digitally signed incoming email.
> (4) ... decrypt incoming email that was encrypted either via pgp or
>     gpg.

Does `W s' do the trick?

kai
-- 
A large number of young women don't trust men with beards.  (BFBS Radio)

Re: Canonical methods for digitally signing and verifying

[Lloyd Zusman]

Kai.Grossjohann@CS.Uni-Dortmund.DE (Kai Großjohann) writes:

> On 15 Dec 2000, Lloyd Zusman wrote:
> 
> > (1) ... digitally sign outgoing email via gpg.
> > (2) ... digitally encrypt outgoing email via gpg.
> 
> In the message buffer, the MML menu has a Security submenu.  Just look
> up the right functions.

THank you!

Based on what I see in the buffer after selecting these functions, it
appears like the only thing which triggers signing and encryption is
the presence of one of the following tags in the buffer (I changed the
angle brackets to square brackets here, so as not to trigger any
encryption or signing of this particular message):

  [#part encrypt=pgpmime]
  [#part sign=pgpmime]

Is it true that the only thing I need to do is to put such a tag into
the buffer before sending?

> > (3) ... verify digitally signed incoming email.
> > (4) ... decrypt incoming email that was encrypted either via pgp or
> >     gpg.
> 
> Does `W s' do the trick?

Yes, indeed it does.

But there's other default behavior I'd like to change:

I'd like to know what customizations or options control the automatic
checking for encryption when I start to read a new email message.
Right now, I'm automatically asked if I want to decrypt a new message
when I start to read an encrypted message, but I'd like to not
be automatically asked this.

This is one reason that I asked for information about all the options
and customizations that control en/decryption.

Thanks again.


-- 
 Lloyd Zusman
 ljz@asfast.com

Re: Canonical methods for digitally signing and verifying

[ShengHuo ZHU]

Lloyd Zusman <ljz@asfast.com> writes:

> Kai.Grossjohann@CS.Uni-Dortmund.DE (Kai Großjohann) writes:
> 
> > On 15 Dec 2000, Lloyd Zusman wrote:
> > 
> > > (1) ... digitally sign outgoing email via gpg.
> > > (2) ... digitally encrypt outgoing email via gpg.
> > 
> > In the message buffer, the MML menu has a Security submenu.  Just look
> > up the right functions.
> 
> THank you!
> 
> Based on what I see in the buffer after selecting these functions, it
> appears like the only thing which triggers signing and encryption is
> the presence of one of the following tags in the buffer (I changed the
> angle brackets to square brackets here, so as not to trigger any
> encryption or signing of this particular message):
> 
>   [#part encrypt=pgpmime]
>   [#part sign=pgpmime]
> 
> Is it true that the only thing I need to do is to put such a tag into
> the buffer before sending?

Basically, yes. If you are going to sign/encrypt a multipart message,
change #part to #multipart.

> > > (3) ... verify digitally signed incoming email.
> > > (4) ... decrypt incoming email that was encrypted either via pgp or
> > >     gpg.
> > 
> > Does `W s' do the trick?
> 
> Yes, indeed it does.
> 
> But there's other default behavior I'd like to change:
> 
> I'd like to know what customizations or options control the automatic
> checking for encryption when I start to read a new email message.
> Right now, I'm automatically asked if I want to decrypt a new message
> when I start to read an encrypted message, but I'd like to not
> be automatically asked this.
> 
> This is one reason that I asked for information about all the options
> and customizations that control en/decryption.

mm-verify-option and mm-decrypt-option are the customizable variables.

ShengHuo

Re: Canonical methods for digitally signing and verifying

[Lloyd Zusman]

[-- Attachment #1: Type: text/plain, Size: 672 bytes --]

ShengHuo ZHU <zsh@cs.rochester.edu> writes:

> Lloyd Zusman <ljz@asfast.com> writes:
> 
> [ ... ]
>
> > This is one reason that I asked for information about all the options
> > and customizations that control en/decryption.
> 
> mm-verify-option and mm-decrypt-option are the customizable variables.
> 
> ShengHuo

Thank you very much.  This indeed is what I was looking for.

And now for a different question:

Is there any way to tell gnus to encode my signed message as `8bit'
instead of as `quoted-printable' (in the `Content-Transfer-Encoding'
header[s] that appear in the signed message)?

Thanks again.

-- 
 Lloyd Zusman
 ljz@asfast.com

[-- Attachment #2: Type: application/pgp-signature, Size: 239 bytes --]

Re: Canonical methods for digitally signing and verifying

[ShengHuo ZHU]

Lloyd Zusman <ljz@asfast.com> writes:

> And now for a different question:
> 
> Is there any way to tell gnus to encode my signed message as `8bit'
> instead of as `quoted-printable' (in the `Content-Transfer-Encoding'
> header[s] that appear in the signed message)?

8bit CTE is not safe for PGP. Some MTAs convert 8bit text to QP or
base64, which causes verification failure.

ShengHuo

Re: Canonical methods for digitally signing and verifying

[Lloyd Zusman]

ShengHuo ZHU <zsh@cs.rochester.edu> writes:

> Lloyd Zusman <ljz@asfast.com> writes:
> 
> > And now for a different question:
> > 
> > Is there any way to tell gnus to encode my signed message as `8bit'
> > instead of as `quoted-printable' (in the `Content-Transfer-Encoding'
> > header[s] that appear in the signed message)?
> 
> 8bit CTE is not safe for PGP. Some MTAs convert 8bit text to QP or
> base64, which causes verification failure.

Ah ... thanks.

Forgive my ignorance about this subject, but will the quoted-printable
conversion cause problems under the following scenario? ...

I send 8bit email to one of my friends in South America, and this
email contains the special Spanish characters (accented vowels and n's
with tildes and upside-down question marks and exclamation points).

After being converted to quoted-printable, these characters become
3-character sequences, which a normal Spanish speaker would have a
hard time reading.

Assuming that my Spanish friend is using an email agent such as
Outlook or Netscape to read my letters, and assuming that she does
nothing to decode or verify my signature, is it likely that those two
email clients do the right thing with the quoted printable text that
I'm sending via gnus within my digitally signed message, and that the
characters will be converted back into the 8bit Spanish characters
when my friend is reading her email?

I'd like to start digitally signing ALL my outgoing messages, but
if the case I outlined above would cause problems, then perhaps
I'm going to have to be selective about the messages I sign and
don't sign digitally.

Thanks again, in advance.


> ShengHuo

- Lloyd


-- 
 Lloyd Zusman
 ljz@asfast.com

Re: Canonical methods for digitally signing and verifying

[Simon Josefsson]

Lloyd Zusman <ljz@asfast.com> writes:

> Assuming that my Spanish friend is using an email agent such as
> Outlook or Netscape to read my letters, and assuming that she does
> nothing to decode or verify my signature, is it likely that those two
> email clients do the right thing with the quoted printable text that
> I'm sending via gnus within my digitally signed message, and that the
> characters will be converted back into the 8bit Spanish characters
> when my friend is reading her email?

Yes.

> I'd like to start digitally signing ALL my outgoing messages

Signing posts to public mailing lists is not generally useful, IMHO.
(Mostly because of all programs out there with poor MIME support, not
to mention PGP/MIME or S/MIME.)  Some ML managers will even destroy
your signature to make it even more of a hassle.

Re: Canonical methods for digitally signing and verifying

[Lloyd Zusman]

Simon Josefsson <sj@extundo.com> writes:

> Lloyd Zusman <ljz@asfast.com> writes:
> 
> > Assuming that my Spanish friend is using an email agent such as
> > Outlook or Netscape to read my letters, and assuming that she does
> > nothing to decode or verify my signature, is it likely that those two
> > email clients do the right thing with the quoted printable text that
> > I'm sending via gnus within my digitally signed message, and that the
> > characters will be converted back into the 8bit Spanish characters
> > when my friend is reading her email?
> 
> Yes.

Thanks.  Not using either of those two programs for email, it would
have been hard for me to verify this myself.  Therefore, your answer
was quite helpful.

And congratulations for deciphering and understanding my long,
run-on sentence!  :)


> > I'd like to start digitally signing ALL my outgoing messages
> 
> Signing posts to public mailing lists is not generally useful, IMHO.
> (Mostly because of all programs out there with poor MIME support, not
> to mention PGP/MIME or S/MIME.)  Some ML managers will even destroy
> your signature to make it even more of a hassle.

Well, I was thinking of configuring gnus to always sign my outgoing
emails, but I guess that isn't a good idea.  I suppose that I'll have
to put something into my gnus setup to make the decision on a
group-by-group basis as to whether a message gets signed or not.

It doesn't appear that `gnus-posting-styles' can help me with this,
right?

Therefore, here's my idea as to how to do this: I'll use
`gnus-message-mode-hook' to set a buffer-specific variable based on
the group name.  This variable will be a flag which is set to `t' if I
want to sign my messages by default.  Then, since I already have a
wrapper around `message-send-and-exit', in this wrapper I'll look at
this buffer-specific flag to determine whether I sign the message or
not.

How does this idea sound?  Has anyone come up with other, more
elegant ways to do this sort of thing?

Thanks in advance.

-- 
 Lloyd Zusman
 ljz@asfast.com

Re: Canonical methods for digitally signing and verifying

[Charles Sebold]

On 20 Kislev 5761, Lloyd Zusman wrote:

> Well, I was thinking of configuring gnus to always sign my outgoing
> emails, but I guess that isn't a good idea.  I suppose that I'll
> have to put something into my gnus setup to make the decision on a
> group-by-group basis as to whether a message gets signed or not.
> 
> It doesn't appear that `gnus-posting-styles' can help me with this,
> right?

If all you have to do to auto-sign a message is add the #part bit, you
could do this with posting-styles and the signature, possibly.  It may
not handle multi-parts intelligently, though.  If you never attach and
you never use more than one coding system in replies in that group,
that might work OK for you.
-- 
Charles Sebold
--
20th of Kislev, 5761
--
Tech Support Excuse of the Day:
routing problems on the neural net