ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Re: the e-postage argument

2004-04-22 20:14:10
from [mathew] [Permanent Link] 
On Apr 21, 2004, at 21:21, Seth Breidbart quoted someone:

How come SSL certificates in HTTPS transactions can work? Aren't they
reasonably analogous?


No; anybody can generate one.  Somebody who wanted billions of valid
ones could just spend a little CPU time.


No, it doesn't work like that. If it did, SSL would be useless.
Sure, I can generate a self-signed SSL certificate, but that's not going to get me anywhere. See <URL:http://milliwaysconsulting.net/support/install_ca/mail.app.html> for example, for discussion of the lengths you have to go to to get Apple Mail to accept some random person's SSL cert.
I guess the spammers could cold-call Aunt Tillie on the phone and walk her through the process of importing their self-signed certificate so that their bogus postage would be accepted, but at least it would slow them down a bit, eh? And if the postage verification was performed by her ISP, they'd have to persuade *them* to accept SSL certs signed by "Nigerian Opt-In Communications Inc." or whatever. 

Ask yourself why phishing sites don't use SSL.


mathew

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Usefulness of wholesale blocking of attachments for SMTP?, Barry Shein
Next by Date:  Re: [Asrg] Re: E-postage, mathew
Previous by Thread:  Re: [Asrg] Re: the e-postage argument, Seth Breidbart
Next by Thread:  Re: [Asrg] Re: the e-postage argument, Seth Breidbart
Indexes:  [Date] [Thread] [Top] [All Lists]