From: wiz <wiz@c2.org>
Date: Sat, 9 Mar 1996 19:32:34 +0800
To: cypherpunks@toad.com
Subject: Java and PGP
Message-ID: <199603080846.AAA23594@infinity.c2.org>
MIME-Version: 1.0
Content-Type: text/plain


With all the current discussion on Java encryption api's, it got me thinking.
 
Would it be possible to write a Java applet that provides secure email?
By secure, I mean that nobody but the intended recipient of a letter can
read it. And that the reader knows who wrote it. That is, encryption and
signing a la PGP.
 
Using https you would download a Java applet from your mail server. Https
is needed so that a MITM can not give you a fake applet. The applet will
fetch your secring.pgp from the mail server. It will fetch your mail by
POP3 from same server and decrypt any PGP mail using the pass phrase you
enter in the applet window.
 
Problem with this setup, your mail server administrator could give you
a fake applet that sends your pass phrase back to him. That means that the
applet must be verified anyhow, so maybe https doesn't really help.
 
Anybody see a solution to this? If the applet viewer (such as Netscape 2.0)
would show an MD5 sum of the applet, we could verify that with a third party.
But it should be done automatically, like the way Netscape verifys https.

<wiz@c2.org>