Decrypting GPG/PGP email messages

Piet van Oostrum piet at cs.uu.nl
Fri Sep 2 13:00:22 CEST 2005


>>>>> Alessandro Bottoni <alessandro.bottoni at infinito.it> (AB) wrote:

>AB> Of course, I want to be sure that only the allowed people is able to send
>AB> such dangerous messages to my server so I will ask my users to encrypt and
>AB> digitally sign their messages using Thunderbird, Enigmail and GPG ...

What benefit is there in encrypting the messages? It would only prevent
people intercepting the message from seeing what's inside, but it won't
give you any additional protection on the server. 

And if somebody can intercept the messages there is a much bigger danger:
They could save the message and replay it later. You can't protect against
this with encryption (well, with encryption they won't know what they
are doing). Neither with a digital signature. Only checking timestamps,
keeping track of the messages received and/or a challenge/response system
will help in this case.

>AB> 1) What would you use to decrypt the messages? The GPG module created by
>AB> Andrew Kuchling is declared "incomplete" and "no more maintained" on his
>AB> web pages (http://www.amk.ca/python/code/gpg) so I think it is out of the
>AB> game. Would you use OpenPGP (http://www.aonalu.net/openpgp/python)? Any
>AB> other module?

If you only sign, it will be sufficient, but there is a more complete one
(including decryption) in
http://trac.t7a.org/isconf/file/trunk/lib/python/isconf/GPG.py 

-- 
Piet van Oostrum <piet at cs.uu.nl>
URL: http://www.cs.uu.nl/~piet [PGP 8DAE142BE17999C4]
Private email: piet at vanoostrum.org



More information about the Python-list mailing list