Re: encryption

From: Joachim Schipper (j.schipper_at_math.uu.nl)
Date: 01/27/05

  • Next message: Robert Hines: "RE: encryption" 
    Date: Thu, 27 Jan 2005 01:33:34 +0100
To: Philip Wagenaar <p.wagenaar@accon.nl>

    On Wed, Jan 26, 2005 at 12:24:20PM +0100, Philip Wagenaar wrote:
    > I was also looking at gnupg.
    >
    > There are alot of tools for it. Also signing HTML files. I was
    > wondering if signing HTML files is useful. And if it is, anyone have
    > any experience with it?
    >
    > Also, is it possible to encrypt HTML files and make them avalible for
    > a specified number of users. I would have a webpage on my webserver. I
    > would encrypt it gnupg/pgp.. and I would encrypt it for a number of
    > users?
    >
    > Met vriendelijke groet,
    >
    > (Philip) Wagenaar
    > Assistent ICT Projecten & Advies

    Dear Philip,

    this is is indeed possible; however, I wouldn't recommend it.

    PGP/GnuPG and whatever other programs confirm to the OpenPGP standard
    are able to sign arbitrary binary data. This can be done in several
    ways:
            - 'standard' signature: mangles the data. Can be read only with
              GnuPG (or PGP, or whatever - but I use GnuPG and like it, so
              I'm just going to use it in all my examples)
              [ gpg --sign ]
            - detached signature: creates a small file. The original data is
              left intact, and can be read with whatever program is
              appropriate.

              This signature can be used with MIME, which allows signing
              arbitrary (?) MIME parts of e-mail messages. Including HTML.
              Used with 'ASCII armored' format, which means the signature
              doesn't scramble terminals and the like.
              [ gpg --armor --detach-sign ]
            - 'traditional mail' signature: pre- and appends an appropriate
              bit of text. Transparant, simple and elegant, but only works
              for text/plain.
              [ gpg --clear-sign ]

    The ability to use HTML refers to the second ability - the third option
    mangles HTML too badly for it to be parseable.

    Of course, any of these options would still allow people to read a web
    page, providing they have both the appropriate software and the proper
    key. However, gpg isn't built into any browsers (though it could
    probably be done - I'm fairly certain that adding an entry in
    /etc/mailcap.conf would work with, at least, lynx...). This means it is
    a bad choice for transparent encryption (that's what https is for).

    It is quite widely used to sign downloadable files (usually source or
    binary archives), though, at least in the Open Source world.

    Yours,

                    Joachim Schipper

    P.S. How about trimming down all that text your mailer adds a little?
    Oh, and Betr.: is only applicable to us Dutchmen...

  • Next message: Robert Hines: "RE: encryption"