I got the metamail stuff running on my machine. I think it's a good way to get the multimedia mail job done. Does anyone on the list have a better .mailcap entry for pgp than the following....? application/pgp ; pgp < %s ; label="PGP encrypted text" ; compose="pgpcompose %s" where pgpcompose is a quick hack that looks like: #!/usr/bin/ksh rm /tmp/pgpcompose vi /tmp/pgpcompose echo What key? read key pgp -mae /tmp/pgpcompose $key mv /tmp/pgpcompose.asc $1 exit 0 I've just been fooling around with metamail for a couple days, and I don't know what the best way to include PGP is... This seems to work, but I'm guessing I'm missing something more elegant. -Bill -- Bill O'Hanlon wmo@rebma.mn.org
where pgpcompose is a quick hack that looks like: #!/usr/bin/ksh
rm /tmp/pgpcompose vi /tmp/pgpcompose echo What key? read key pgp -mae /tmp/pgpcompose $key mv /tmp/pgpcompose.asc $1 exit 0
This is not a very good way of doing this unless this is on a single-user linux system where youhave read all the source, and compiled it yourself. First, if on a multi-user system, what happens if two people run pgpcompose? At the very least, use code like "vi /tmp/pgpcompose.$$", which will append your process ID to the temp file name. It is NOT a good idea to keep the plain text in a disk file, even for a little while. It would be very easy for someone to set up a crontab entry which looks for files of the name /tmp/pgp*, and copies them to a hidden directory. You would never even know that it was happening. If you absolutely MUST do crypto on a multiuser machine, at least try not to keep plaintext or private keys in files. For example, you could instead rewrite the above script to call vi directly on what will become the output cyphertext file. Then the user types in plaintext, and does not save the file. The file (while still only in memory) is piped (!G) through pgp by the user. This is still not very secure, since it would be not too difficult for someone to have a version of vi that saves everything that is piped in a special file. Or pgp may be modified to do the same. Or if you compile pgp yourself every time, the C standard input routines may be modified to do the logging. You get the picture. There is no security on a multiuser system. -- Yanek Martinson mthvax.cs.miami.edu!safe0!yanek uunet!medexam!yanek this address preferred -->> yanek@novavax.nova.edu <<-- this address preferred Phone (305) 765-6300 daytime FAX: (305) 765-6708 1321 N 65 Way/Hollywood (305) 963-1931 evenings (305) 981-9812 Florida, 33024-5819
You get the picture. There is no security on a multiuser system. It is possible to get security on a multiuser system (there are at least B3 rated systems out there), you just can't currently get them with Windows or Mac interfaces :-) dean
You get the picture. There is no security on a multiuser system.
It is possible to get security on a multiuser system (there are at least B3 rated systems out there),
That is fine as long as you trust all the entities that designed, built, (modified :-), programmed, installed, and administer the system. -- Yanek Martinson mthvax.cs.miami.edu!safe0!yanek uunet!medexam!yanek this address preferred -->> yanek@novavax.nova.edu <<-- this address preferred Phone (305) 765-6300 daytime FAX: (305) 765-6708 1321 N 65 Way/Hollywood (305) 963-1931 evenings (305) 981-9812 Florida, 33024-5819
That is fine as long as you trust all the entities that designed, built, (modified :-), programmed, installed, and administer the system. You can inspect the design, the code, the installation, and probablyu even the administration of the system. That would typically be economically infeasible, however, so to reduce your expense, you'll have to trust someone (preferably someone who stands to lose a lot if they defect). dean
participants (3)
-
rebma!rebma!wmo@kksys.mn.org -
tribble@xanadu.com -
yanek@novavax.nova.edu