Doug Royer <Doug(_at_)Royer(_dot_)com> wrote:
S/MIME forces the 'From' address to match the signature.
It makes no other claim. It has nothing to do with your location
or the originating domain.
Which means that you still have no idea if the the address in the
"From" line is truthful. Please go back and read the rest of my comments.
If you want to spoof example.com, which has a Canadian branch
office, as an individual, you can register "example-canada.com", and
send S/MIME signed messages from it. The recipients have no way of
knowing such messages are fraudulent.
Sure, the signature means it's easier to verify that it was *you*
who committed the fraud, but how does that help the recipients, who've
lost money? How does that help law enforcement, when you've used that
money to flee the country?
Validating identities means nothing if the identities being
validated are fraudulent.
If the cert has not been revoked (by checking), then you know that
the person that used the cert had permission to use that 'From' address.
From who? The signing authority, who sells signed certs for $40?
*IF* you do trust the CA and it is spam - you could add that public
cert to your blacklist, publish that as a spam cert. And you can
*automaticly* find the authority for that domain in the signature
and complain.
Again, if that information is valid. If not, you're stuck.
It's easy to get a domain and/or certificate with fraudulent identities.
*IF* you do NOT trust the CA - your where your at now. I for one have
a handful of CA's that I trust.
That's nice for you. How does that scale to everyone else?
Alan DeKok.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg