Creating PGP signature based on headers - PGP

This is a discussion on Creating PGP signature based on headers - PGP ; Hi, I need to create a PGP signature based on headers (i.e, From, Sender, date etc). Is this possible using PGP 8.x? Thanks, Andrew. -- Andrew Hodgson in Bromyard, Herefordshire, UK. My Email: use ....

+ Reply to Thread
Results 1 to 5 of 5

Thread: Creating PGP signature based on headers

  1. Creating PGP signature based on headers

    Hi,

    I need to create a PGP signature based on headers (i.e, From, Sender,
    date etc). Is this possible using PGP 8.x?

    Thanks,
    Andrew.
    --
    Andrew Hodgson in Bromyard, Herefordshire, UK.
    My Email: use .

  2. Re: Creating PGP signature based on headers

    Andrew Hodgson wrote in
    news:992stvgo9aidnvc99oc4vnh36ascv0ucjm@4ax.com:

    > I need to create a PGP signature based on headers (i.e, From, Sender,
    > date etc). Is this possible using PGP 8.x?
    >


    NNTP or Email headers?
    In either case, not likely as NNTP/Email servers add fields to the
    header on the fly which would invalidate any signature made before
    emailing/posting.

    If you receive a post/email, depending on your newsreader/email
    program you can probably save it (with headers) to a file and then
    apply a signature to the file... but this is probably not what you had
    in mind?

    HTH,
    John

  3. Re: Creating PGP signature based on headers

    On Mon, 15 Dec 2003 20:13:04 GMT, John Wunderlich
    wrote:

    >Andrew Hodgson wrote in
    >news:992stvgo9aidnvc99oc4vnh36ascv0ucjm@4ax.com:
    >
    >> I need to create a PGP signature based on headers (i.e, From, Sender,
    >> date etc). Is this possible using PGP 8.x?
    >>

    >
    >NNTP or Email headers?
    >In either case, not likely as NNTP/Email servers add fields to the
    >header on the fly which would invalidate any signature made before
    >emailing/posting.


    Not if you specify the headers that the signature applies to.

    For example, in an NNTP control message, we have the following:

    |X-PGP-Sig: 6.5.1i Subject,Control,Message-ID,Date,From,Sender
    | iQCVAwUBO53JrWOfGXkh8vHZAQGw7AQAgoaSRmE71mmmmQga1h T3kaSbmsmuePvZ
    | 6Pr0ADxZogPye0luG5MAzht2I/JYnU2l0CBCcVrwLwIzZaLiePptWTEUI3chf3l0
    [...]

    I want to know if it is possible to create this type of header using
    PGP 8.x?

    Tia,
    Andrew.
    --
    Andrew Hodgson in Bromyard, Herefordshire, UK.
    My Email: use .

  4. Re: Creating PGP signature based on headers

    Andrew Hodgson writes:

    >For example, in an NNTP control message, we have the following:


    >|X-PGP-Sig: 6.5.1i Subject,Control,Message-ID,Date,From,Sender
    >| iQCVAwUBO53JrWOfGXkh8vHZAQGw7AQAgoaSRmE71mmmmQga1h T3kaSbmsmuePvZ
    >| 6Pr0ADxZogPye0luG5MAzht2I/JYnU2l0CBCcVrwLwIzZaLiePptWTEUI3chf3l0
    >[...]


    >I want to know if it is possible to create this type of header using
    >PGP 8.x?


    As far as I know, these pgp signed usenet control messages are all
    based on pgp2. That is, it uses pgp2 keys (RSA keys). You can
    probably install pgp-2.6.2. You will need some supplementary
    software to extract the headers and then invoke pgp. Such software
    is probably available on the net.

    While it may be doable with PGP8, it won't be directly doable in the
    PGP software. And the supplementary software that would be needed
    might not exist for PGP8, or if it does exist might be harder to
    find.


  5. Re: Creating PGP signature based on headers

    In Andrew Hodgson writes:

    >For example, in an NNTP control message, we have the following:


    >|X-PGP-Sig: 6.5.1i Subject,Control,Message-ID,Date,From,Sender
    >| iQCVAwUBO53JrWOfGXkh8vHZAQGw7AQAgoaSRmE71mmmmQga1h T3kaSbmsmuePvZ
    >| 6Pr0ADxZogPye0luG5MAzht2I/JYnU2l0CBCcVrwLwIzZaLiePptWTEUI3chf3l0
    >[...]


    >I want to know if it is possible to create this type of header using
    >PGP 8.x?


    You will need the Tale's Perl scripts for "Signcontrol" and "PGPVerify".
    Hmmm! I've got the scripts, but cannot locate the URL they came from.

    These can easily be hacked to use any (command line) version of PGP, and
    there is no reason they shouldn't use D-H signatures, except that they
    wouldn't be recognized by people using 2.6.3 then. I use version 5.0i
    myself.

    The PGPverify protocol has some shortcomings (when faced with folded
    headers, for example). There is a similar, but different protocol known as
    "PGPMoose" for signing moderated articles. The USEFOR Working Group spent
    some time working on a successor to Pgpverify, but postponed that while
    pressing on with other work. You can see how far it got at
    http://www.landfield.com/usefor/draf...-signed-01.txt.

    The chief issues to be considered in designing any such protocol are the
    method to indicate which headers are to be signed, and deciding how much
    canonicalization to do to protect against (possibly legitimate) munging of
    the headers as they pass through news and mail transport systems.

    --
    Charles H. Lindsey ---------At Home, doing my own thing------------------------
    Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
    Email: chl@clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
    PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

+ Reply to Thread