Online verification for non-pgp users? - PGP

This is a discussion on Online verification for non-pgp users? - PGP ; Hello, all, Is there a site that allows those who do not have PGP or Gnu-PG installed on their computers to verify the signature on a message (cut and paste kind of thing)? I have found various applets (such as ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Online verification for non-pgp users?

  1. Online verification for non-pgp users?

    Hello, all,

    Is there a site that allows those who do not have PGP or Gnu-PG installed on
    their computers to verify the signature on a message (cut and paste kind of
    thing)? I have found various applets (such as the one at hushmail/hushtools
    or ) but these seem to be restricted to those messages whose senders had
    accounts there. I'm thinking it would be useful for rare/occasional users...

    Thanks,
    -Dan



  2. Re: Online verification for non-pgp users?

    DamJones wrote:
    >
    > Hello, all,
    >
    > Is there a site that allows those who do not have PGP or Gnu-PG installed on
    > their computers to verify the signature on a message (cut and paste kind of
    > thing)? I have found various applets (such as the one at hushmail/hushtools
    > or ) but these seem to be restricted to those messages whose senders had
    > accounts there. I'm thinking it would be useful for rare/occasional users...


    I see three problems with this.

    First of all, the software required to verify a PGP-type signature
    is a substantial part of PGP or GPG. If you're going to install
    that much, why not install the rest?

    Then, there is the "Web of Trust" issue. Verifying a signature
    involves two things: integrity and authenticity. You can always
    use an unknown signature to verify integrity: that the message was
    not altered after it was signed. However, you cannot verify
    authenticity: that the sender was indeed who he or she claimed to
    be. For authenticity, the recipient must possess the sender's
    public key and -- most important -- has marked that public key as
    "valid". This again requires having most of the software for PGP
    or GPG.

    Finally, remote checking of signatures requires having both the
    signature and the original UNALTERED message. Without the message,
    all a remote site could do is verify that a signature exists,
    without verifying either integrity or authenticity. You can't
    merely forward the message to the remote site since most E-mail
    applications alter messages when they are forwarded. You should be
    able to copy the message and paste it into a Web form input area;
    that's how public keys are often sent to key servers. However,
    that would only provide for verifying integrity. For
    athentication, you have to have full trust in the Web service,
    which in turn has actually validated the sender's public key by
    checking the identity of the key's owner. Can you picture a remote
    service doing this FOR FREE?

    In the end, why not install a freeware version of PGP or GPG and
    ask your friends to do the same? Then you only have to rely on
    each other.

    --

    David E. Ross


    I use Mozilla as my Web browser because I want a browser that
    complies with Web standards. See .

  3. Re: Online verification for non-pgp users?

    Hi Dan -

    First the disclaimers:

    * Any website can do anything with the information you
    provide and tell you anything it wants. Caveat emptor.

    * Trust is a function of competency as well as integrity.
    Trust should be earned.

    * (and everything that Dan Ross said)

    For fun..

    http://www.aonalu.net is an OpenPGP playground-in-progress
    which includes a tutorial and online implementation demo
    which will allow you to verify ASCII-armored messages.

    Aloha,
    the poiboy

    DamJones wrote:
    > Hello, all,
    >
    > Is there a site that allows those who do not have PGP or Gnu-PG

    installed on
    > their computers to verify the signature on a message (cut and paste

    kind of
    > thing)? I have found various applets (such as the one at

    hushmail/hushtools
    > or ) but these seem to be restricted to those messages whose senders

    had
    > accounts there. I'm thinking it would be useful for rare/occasional

    users...
    >
    > Thanks,
    > -Dan



+ Reply to Thread