Stuart Ballard wrote:
> Frank Hecker wrote:
> > There are different authentication mechanisms involved here. For web
> > sites using password-based authentication over plain HTTP (or HTTP over
> > SSL without SSL client authentication), you can have the various
> > passwords encrypted on disk, with your passphrase used in generating a
> > symmetric key to encrypt the passwords and then decrypt them later as
> > needed when connecting to the sites. (I use the term "passphrase" to
> > distinguish this from a web site password.)
>
> Yes; my point was that you *could* use a similar mechanism to store
> encrypted messages being sent - to use your terms, generate a symmetric
> key (or use the same one from the passwords) and use it to encrypt the
> mails on disk. I do see why it wasn't done this way though - my way
> would have issues if multiple clients are using the same mbox.
It has more issues than that :-) You could use your method to encrypt
copies of messages stored on your local disk, to prevent other people
with access to your machine from snooping through your mail folders.
(And, by the way, that wouldn't be a bad Mozilla enhancement if
someone's not already doing it.) However it wouldn't work for sending
emails to other people: Suppose you used your passphrase to generate a
symmetric key, used that key to encrypt a message, and then sent it to
someone else. How would they get the key needed to decrpyt the message?
You could give them your passphrase (so their copy of Mozilla could
generate the same key), but then you've given them complete access to
your own files should they get access to your system.
This is the age-old problem of "key exchange", and both PGP and S/MIME
solve it using public key technology. That accounts for the way both
protocols work in practice.
Frank
--
Frank Hecker work: http://www.collab.net/
[EMAIL PROTECTED] home: http://www.hecker.org/
