Alan DeKok wrote:
Doug Royer <Doug(_at_)Royer(_dot_)com> wrote:
Now that I have - so what?
I was pointing out that you have no way of knowing *which* address
is the "real" one. The fact that all of them are signed and certified
is irrelevant. When you get email from "user(_at_)example(_dot_)com", and
"user(_at_)example-canada(_dot_)com", and "user(_at_)example(_dot_)ca", you
still don't know
which one is real. The others could very well be fraudulent.
If you get a signed message where the cert is signed by a trusted CA, then
it is not fraudulent. It is the 'From' address when the signature matches.
Are you claming that you want some way to tell if the content is fraudulent?
And which trusted CA are you talking about would issue a
user(_at_)example(_dot_)com
address to a example-canada.com email address?
I've never said that. Stop trying to misinterpret me.
Then you have failed to make your point as it can't be fraudulent if the
cert is valid from a trusted CA.
I own royer.com, it does not mean that I own all businesses named 'royer'.
So again so what?
You're missing my point, that's what. How does *anyone* associate
the "royer" business they know in meat-space with a "royer" they see
on the net?
New flash: There are several 'royer.whatever' sites around the world. In
case this
has confused you - we are not related in any way with each other. The same
is true of MANY commercial establishments in your telephone phone book.
Do you think that they are all related if they have similar names? Did
you think
that they can not commit fraud just because they are in the phone book
with a similar name to your favorite stores?
Did you think they were? If not - what is your point? If it is that
there is no way to do content fraud detection then you are right
and it still has nothing to do with S/MIME.
Heck, I can register 'the-real-royer.com", steal your
content, get certs signed for it, and announce that "royer.com" is
fraudulent.
No, you could send email claiming that it was fraudulent.
You could post on your web site claming that it was fraudulent.
My email would still be valid and the cert I used would still
be valid and traceable to royer.com.
The cert used by 'the-real-royer.com' would still be valid
and traceable to 'the-real-royer.com' .
Your talking about SITE certs - not S/MIME. Not spam.
Your talking about fraud detection by content that just happened
to be sent in spam.
How much time and money will you lose? And you won't be
able to catch me. The best you can hope for is to convince a
registrar to nuke the name.
Your missing the point. We are NOT talking about site certs.
Content fraud is for the police when you track them down.
It's easy to get a domain and/or certificate with fraudulent identities.
I'll reimburse you if you can get a fraudulent cert for 'royer.com' from
a CA that I trust.
See, I say "fraudulent identities", and you say "fraudulent cert".
Do you understand that you're not talking about the same thing I'm
talking about?
Do you understand that "fraudulent identities" are extremely difficult if
the there is no "fraudulent cert"? Do you understand that it would require
some kind of mass conspiracy and bribing of a good CA to generate
a "fraudulent cert" that then could be used for "fraudulent identities"?
Or are you talking about fraudulent content detection?
--
Doug Royer | http://INET-Consulting.com
-------------------------------|-----------------------------
Doug(_at_)Royer(_dot_)com | Office: (208)520-4044
http://Royer.com/People/Doug | Fax: (866)594-8574
| Cell: (208)520-4044
We Do Standards - You Need Standards
smime.p7s
Description: S/MIME Cryptographic Signature