-----BEGIN PGP SIGNED MESSAGE----- In <3.0.1.32.19970609000938.00756910@popd.ix.netcom.com>, on 06/09/97 at 12:09 AM, Bill Stewart <stewarts@ix.netcom.com> said:

I've been using PGP Inc.'s PGP5.0 Eudora Plug-In, and it decrypts the mail into the mail message buffer itself. When you finish with that particular message (e.g. go to the next, or just close it), you get asked it you want to save the modified message, and if you say "yes" you'll have the decrypted message in your mailbox. However, there's a negative about this - if you receive mail that's signed and encrypted, and save the modified version, it loses the signature information - so it may be more valuable to save the encrypted version...

Well this is why I tell everyone to clear sign the message first and then encrypt it. In my PGP GUI/E-Mail integration E-Secure this is the default behavior. IMHO encrypting & signing (-sea) is a PITA (for the reciever). I also verify signatures of all signed inbound messages and append the output from PGP to the bottom of the message so that you can see the results when the message is opened without having to re-run PGP. The user also has the option to either decrypt messages as they are retreived or to store them encrypted. I just released the first beta of my auto-encrypt code. That was quite fun to write. Myself am rather disturbed by how many PGP/E-Mail implmentations handle signing/encrypting of messages. One of my biggest pet peeves is when only the plain text of a message is signed/encrypted. I have seen this with more than 1 implementation and I see it as a serrious security flaw. Another issue that is usally missed is Bcc's. The whole purpose of using Bcc's is that you don't want the rest of your distribution to know that you have sent a copy to the addresses on the Bcc line. If you encrypt a message with multiple keys including keys for your Bcc's then your Bcc's will be known to everyone who recieves a copy of the message. What I have done to address this is to send seperate copies of the message to each address on the Bcc list each encrypted with only the one key for the address. You can have the strongest algorithms in the world but they do you no good if they are poorly implemented. - -- - --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBM5u7uo9Co1n+aLhhAQH/sgP/V/ulJSLuNEV+sBW1hAnRsbYizxUb3tbc eJtG6YZnhszgjmj0ybgA/yfIC3i9uXjvuZeRdyrD9YSTf0a0gWOkcAzhhB/A5XBj Kf80HEXiJhd9dLSxYUGD55QFQNtz1QGbEGCURLyCchuWa0KrpLUofvUZ0cfatk+3 VKbfYn0KMTA= =vvGI -----END PGP SIGNATURE-----