[Enigmail] use of openPGP

[Robert J. Hansen]

James Kosin wrote:
> This makes a bit more sence; so,

First, please trim your quoted material, especially for very large
messages like the one you were quoting.  Thank you.  :)

> (1)  When enigmail sends an encrypted message; it creates a session
> key to encrypt the message.  Kind of like the password to send.

GnuPG does this.  Enigmail is just a front-end for GnuPG.  All your
references to Enigmail should properly be references to GnuPG.

> (2)  Then encrypts the session key with the destination's public key
> (so the recipient can decrypt the message using their private key.

Again, GnuPG does this, but yes.

> (3)  I'm guessing enigmail creates another copy of the session key
> encrypted for each destination.  You state this above; so I guess it
> has to be true.

Roughly speaking, yes.

> (4)  I'm also taking a stab by saying "The fewer people you send an
> encrypted message to the better."   Since with multiple copies of the
> encrypted session key are embedded in the message the more of a chance
> a hacker can actually guess (not easily done) the session key and
> decrypt the message themselves.  (with a LOT OF TIME)...  Not that
> anyone would actually want to do such a thing.

No.  The more people you send a message to, the greater the likelihood
one of them will talk about it.  Like Ben Franklin said, "three can keep
a secret if two of them are dead."

> The public and secret keys used by enigmail and PGP are examples of
> Asymmetric keys.  One doesn't have to have the secret key to verify
> the signature that is what the public key is for.  But to create a
> message, they need the secret key.  The public key won't work for
> creating a message.

No.  The -recipient's- public key is used to encrypt the message, and
the -recipient's- private key is used to decrypt the message.  The
-sender's- private key is used to sign the message, and the -sender's-
public key is used to verify the signature.