Sign When Completed (PGP)

[Han Thomas]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,


If I tick on 'Sign When Completed' (and also when I manually "Sign Block"),
TB/PGP doesn't prompt me for the email address to sign it with. As I have
several email addresses / identities with PGP keys, I have to choose the
right one. (Or The Bat could even choose the right one for me because it
knows the 'From:' email address I'm using.) Still it doesn't choose the right
one, I think it just chooses the 'default' signature set in my PGP Keys
window. I think the whole concept of a 'default address'/'default key'
doesn't make much sense. Any TB! user with multiple email addresses will
write mail using those multiple email addresses and may have to sign their
messages with the appropriate key, NOT just the default key. This
effectively means one has to remember to go into PGP tray and check/change
the default BEFORE sending every signed message you want to sign)

I just did some testing, and it's even worse: After changing your default
identity/key in PGPKeys, you HAVE to exit TB and start it up again, or it
will still use the old default key!

This is actually a pretty serious security problem, because you WILL blow
your alias/cover if you sign with the wrong key. (The email address after
all is unencrypted in the sign block.) That's every bit as bad as appending
the wrong .sig to one of your addresses/identities, which is nothing short
of a nightmare scenario. (You know the feeling when your hart misses 3
beats when you think you just appended your real name and company signature
to some silly discussion board or support group where you really wanted to
remain anymous)

If this really is the case then everyone with more than one PGP key should
disable PGP signing in TB for all accounts and do any signing manually
using your PGP software.  At the very least, create a dummy-key for a non
existing address and set that one to be the default.

Thoughts?

On a seperate note, I also get some pretty entertaining characters at the
end of my message, right in front of the signature text..

Cheers,
Han.
ig|��|��8

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2i

iQA/AwUBO+LnyksEXk3vzIZdEQL00ACgjX60TIlPkBPesN8FA4eX3iW+1hMAn1Ef
MLPuLzInrNoAj/IVCzmJRtHy
=1YHW
-----END PGP SIGNATURE-----


-- 
________________________________________________________
Archives   : http://tbudl.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
TBTech List: mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]
Latest Vers: 1.53d
FAQ        : http://faq.thebat.dutaint.com