Alan DeKok wrote:
That requires well-known sources. If I get a letter from my bank, I
have many ways of telling that the letter is authentic. If I get an
email from them, I have many fewer ways.
Signing messages is a start. But what identity is trusted?
example.com, example.ca, or example-canada.com? Without a trusted
naming scheme, cryptographic signatures not much more than a way to
burn CPU cycles.
Alan DeKok.
S/MIME forces the 'From' address to match the signature.
It makes no other claim. It has nothing to do with your location
or the originating domain. In fact I can send email from several domains,
each using my cert that says I am 'doug(_at_)royer(_dot_)com'. It makes no
difference
which domain I send it from, it only means I have the private
key to that public signature and it matches the 'From' line. The
signature only means - yes the signature matches the From line.
If the cert has not been revoked (by checking), then you know that
the person that used the cert had permission to use that 'From' address.
*IF* you trust the CA in the signature, then you trust that it came from
a valid user of that email address and was not forged.
That alone would stop 1,000's of forged email spams I get every week
to the domains I administer.
*IF* you do trust the CA and it is spam - you could add that public
cert to your blacklist, publish that as a spam cert. And you can
*automaticly*
find the authority for that domain in the signature and complain.
*IF* you do NOT trust the CA - your where your at now. I for one have
a handful of CA's that I trust.
--
Doug Royer | http://INET-Consulting.com
-------------------------------|-----------------------------
Doug(_at_)Royer(_dot_)com | Office: (208)520-4044
http://Royer.com/People/Doug | Fax: (866)594-8574
| Cell: (208)520-4044
We Do Standards - You Need Standards
smime.p7s
Description: S/MIME Cryptographic Signature