ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] S/MIME

2004-03-21 12:35:36
from [Doug Royer] [Permanent Link] 


Alan DeKok wrote:


Doug Royer <Doug(_at_)Royer(_dot_)com> wrote:

S/MIME  forces the 'From' address to match the signature.
It makes no other claim. It has nothing to do with your location
or the originating domain.


 Which means that you still have no idea if the the address in the
"From" line is truthful.  Please go back and read the rest of my comments.


Now that I have -  so what?


 If you want to spoof example.com, which has a Canadian branch
office, as an individual, you can register "example-canada.com", and
send S/MIME signed messages from it.  The recipients have no way of
knowing such messages are fraudulent.


And which trusted CA are you talking about would issue a 
user(_at_)example(_dot_)com
address to a example-canada.com email address? None that I know of, so
they could send email as user(_at_)example-canada(_dot_)com - which would not
be forged - so what?


 Sure, the signature means it's easier to verify that it was *you*
who committed the fraud, but how does that help the recipients, who've
lost money?  How does that help law enforcement, when you've used that
money to flee the country?


You have failed to make your point. The only thing you have shown so far
is that user(_at_)example-canada(_dot_)com sent you email.

I own royer.com, it does not mean that I own all businesses named 'royer'.
So again so what?


 Validating identities means nothing if the identities being
validated are fraudulent.


You have not made the case that user(_at_)example-canada(_dot_)com is invalid.
You just have declared that it is not user(_at_)example(_dot_)com and we agree.


If the cert has not been revoked (by checking), then you know that
the person that used the cert had permission to use that 'From' address.


 From who?  The signing authority, who sells signed certs for $40?


Read up on certs to find the answer. If you pre declare that your
will not trust any CA anyway - what's your point?


*IF* you do trust the CA and it is spam - you could add that public
cert to your blacklist, publish that as a spam cert. And you can *automaticly* find the authority for that domain in the signature 
and complain.


 Again, if that information is valid.  If not, you're stuck.

Stuck with what? You now know that user(_at_)example-canada(_dot_)com is a cert
to ignore or blacklist. Why is that a bad thing?


 It's easy to get a domain and/or certificate with fraudulent identities.
I'll reimburse you if you can get a fraudulent cert for 'royer.com' from a CA that I trust. Willing to try? In fact I'll pay you twice their fee. Else please stop this noise. 


*IF* you do NOT trust the CA - your where your at now. I for one have
a handful of CA's that I trust.


 That's nice for you.  How does that scale to everyone else?


Scale has nothing to do with it - nothing changes.

--

Doug Royer                     |   http://INET-Consulting.com
-------------------------------|-----------------------------
Doug(_at_)Royer(_dot_)com                 | Office: (208)520-4044
http://Royer.com/People/Doug   | Fax:    (866)594-8574
                              | Cell:   (208)520-4044

             We Do Standards - You Need Standards

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] 0 General - Fake HIV Letters in mail, John Levine
Next by Date:  [Asrg] Re: S/MIME, Doug Royer
Previous by Thread:  Re: [Asrg] 0 General - Fake HIV Letters in mail, Alan DeKok
Next by Thread:  Re: [Asrg] S/MIME, Yakov Shafranovich
Indexes:  [Date] [Thread] [Top] [All Lists]