If the cert has not been revoked (by checking), then you know that
the person that used the cert had permission to use that 'From' address.
Well, not quite, you know that the CA that signed the cert thought
that the sender had permission to use that address.
*IF* you trust the CA in the signature, then you trust that it came from
a valid user of that email address and was not forged.
We're back to the key management problem. I don't see how a public
signer that signed enough keys to be useful as a whitelist wouldn't
also let enough bad guys sneak through that you'd want to use it as
a blacklist.
For small and reasonably well defined communities, a company signing
its employees certs, or various geekly groups who know each other,
sigs can work, but I've never been able to see a plausible way to
scale up to the whole world of e-mail.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
http://www.taugh.com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg