[Asrg] Re: S/MIME



John Levine wrote:

If the cert has not been revoked (by checking), then you know that
the person that used the cert had permission to use that 'From' address.


Well, not quite, you know that the CA that signed the cert thought
that the sender had permission to use that address.

Which is why I said:

   "The  signature only means - yes the signature matches the From line. "

and

 "*IF* you trust the CA in the signature, then you trust that it came from
   a valid user of that email address and was not forged. "

*IF* you trust the CA in the signature, then you trust that it came from
a valid user of that email address and was not forged.


We're back to the key management problem.  I don't see how a public
signer that signed enough keys to be useful as a whitelist wouldn't
also let enough bad guys sneak through that you'd want to use it as
a blacklist.

I do not know of anyone selling keys for a white or black list. I doknow of a few

CAs that sell certs that match the domains they check them against. The CA

sell certs that match the 'From' line, they do not declare the emailaddress pure.


For small and reasonably well defined communities, a company signing
its employees certs, or various geekly groups who know each other,
sigs can work, but I've never been able to see a plausible way to
scale up to the whole world of e-mail.

This is mixing subjects. Being able to validate that the 'From' line isnot forged

has nothing to do with black or white lists.  You can black or white list
based on email address as well as certs - no change to scaleability.

If over time I learn that 'spam-certs-ca' sells certs for any domain name
I can blacklist any cert signed by them. MUCH more scalable that
trying to guess the thousands 'From' address that may be sending spam.

--

Doug Royer                     |   http://INET-Consulting.com
-------------------------------|-----------------------------
Doug(_at_)Royer(_dot_)com                 | Office: (208)520-4044
http://Royer.com/People/Doug   | Fax:    (866)594-8574
                              | Cell:   (208)520-4044

             We Do Standards - You Need Standards

smime.p7s
Description: S/MIME Cryptographic Signature

<Prev in Thread]	Current Thread	[Next in Thread>
RE: [Asrg] S/MIME, (continued) RE: [Asrg] S/MIME, Tom Thomson Re: [Asrg] S/MIME, Eugene Crosser Re: [Asrg] S/MIME, Alan DeKok Re: [Asrg] S/MIME, Doug Royer Re: [Asrg] S/MIME, Alan DeKok Re: [Asrg] S/MIME, Doug Royer Re: [Asrg] S/MIME, Ken Hirsch Re: [Asrg] S/MIME, George Ou Re: [Asrg] S/MIME, Doug Royer Re: [Asrg] 0 General - Fake HIV Letters in mail, John Levine [Asrg] Re: S/MIME, Doug Royer <= Re: [Asrg] Re: S/MIME, Yakov Shafranovich Re: [Asrg] Re: S/MIME, Doug Royer Re: [Asrg] Re: S/MIME, John Levine Re: [Asrg] Re: S/MIME, Doug Royer Re: [Asrg] Re: S/MIME, der Mouse Re: [Asrg] Re: S/MIME, Yakov Shafranovich Re: [Asrg] Re: S/MIME, der Mouse