On 07/02/2010 12:52 PM, Arthur Machlas wrote: > I just recently setup encrypted mail for my personal mail account, > using icedove and enigmail. I'm curious about a general feature of > "signing" the email. Why can't I just copy the "signature" portion of > the email, which many people on this list attach to their posts, and > paste it at the bottom of a fake email? Appreciate any comments or > links you may have. In a nutshell: * The sender's PGP/GPG hashes the text of the message. Because every message will be different, every hash from the text will be different. * The sender's PGP/GPG then encrypts the hashed string using your private key, and attaches the message to the mail as a "signature". The mail is then sent, at which: * The receiver's PGP/GPG uses the sender's public key to decrypt the signature, to get to the hash. * The receiver's PGP/GPG then re-hashes the email using the same algorithm the sender uses. * If the hashes match (the newly created hash, and the decrypted hash), the signature is valid. If they don't match, the signature is invalid. That's why you can't paste a single signature to every email you send. It has to be generated every time. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O
Attachment:
signature.asc
Description: OpenPGP digital signature