[wellylug] GPG Webmail

[Sam Cannell]

There are two major issues I see with your idea.

First of all, I would never store my private key on a pc that I wasn't
in complete control of.  Secondly, if the decryption is performed on the
server, then:

1) the passphrase needs to get from the user to the server somehow, and
2) the cleartext message needs to come back.

If you're concerned enough about security to want encrypt your mail,
don't use webmail, and don't read your email on a pc you don't trust. :)

-----Original Message-----
From: wellylug-admin at lists.naos.co.nz
[mailto:wellylug-admin at lists.naos.co.nz] On Behalf Of John C Barstow
Sent: Tuesday, 27 April 2004 9:04
To: wellylug at lists.naos.co.nz
Subject: [wellylug] GPG Webmail

For one of my projects I am looking to set up a secure webmail system
(Debian testing/unstable if it matters).

My understanding so far is that I can generate GPG keys for new users
and use the public keyring to encrypt mails.  My question is around
decrypting; if it's webmail you typically don't want the private key on
client computer, that implies server-side storage of some kind, with the
web server somehow obtaining the private key and using it to decrypt.

I'm sure this problem has been solved before; any suggestions on where I
should be looking?

John C Barstow



--
Wellington Linux Users Group Mailing List: wellylug at lists.naos.co.nz To
Leave:  http://lists.naos.co.nz/mailman/listinfo/wellylug