Thursday, February 12, 2009

Gmail Tests PGP Signature Verification

Sean Leather spotted a new Gmail feature that checks if the PGP signature attached to a message is valid.

"A major benefit of public key cryptography is that it provides a method for employing digital signatures. Digital signatures enable the recipient of information to verify the authenticity of the information's origin, and also verify that the information is intact," explains PGP's documentation.


Gmail's code reveals that Google uses a Java applet to perform verification. Here are some excerpts from the code:

function zOb(a){var b=a[dd](/(-----BEGIN PGP SIGNED MESSAGE-----(.|\r?\n)*?-----END PGP SIGNATURE-----)/); ... var DOb="PGPApplet",EOb="exp/799/pgpapplet_0.jar";OZ[k].wbc=function $aRa(){var a=document[Qi](M);d(a,WNb({code:"com/google/caribou/pgp/PGPApplet.class",name:DOb,archive:EOb})); ... kOb="Click to verify PGP signature in this message.",lOb="Verify signature",RZ="vPzQab",mOb="Info",nOb="No valid PGP signature found.",oOb="Warning!",pOb="Invalid key entered.",qOb="Applet not loaded. Is Java enabled?",rOb="wrClmc",sOb="Success!",tOb="Your message was verified successfully!",uOb="Verify again",vOb="The signature was incorrect! This message may not be authentic!"

The new feature quickly vanished from Sean's account, so it's safe to assume that it's not ready to be publicly released yet. PGP signature verification is the perfect candidate to be the next Gmail Labs experiment.

Update: Expect to see this feature in Gmail Labs. Look for this image:

No comments:

Post a Comment