NPR : E-Mail Encryption Rare in Everyday Use

Peter Gutmann pgut001 at
Sun Mar 5 09:13:39 EST 2006


>Basically our customer required us to encrypt any team communications. So we
>used PGP with email.  I know the body of the email was encrypted, and I
>believe attachments were too.  The certs were used to "automate" the
>decryption.  Basically the PGP plugin would check the incoming mail's sender
>email name and try to find a local cert that had the same email name in it.

Hmm, that sounds like broken software then, since the (probabilistically)
unique keyID to locate the appropriate decryption or signature verification
key is included in the message/signature - you never have to look at the From:
address, and indeed trying to use it for key lookups would be a recipe for
disaster because of the problems you pointed out.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list