On Nov 13, 2006, at 2:40 AM, Charles Lindsey wrote:
On Sat, 11 Nov 2006 19:45:34 -0000, Steve Atkins
On Nov 11, 2006, at 11:31 AM, <Bill(_dot_)Oxley(_at_)cox(_dot_)com> wrote:
The FDIC certifies a bank and authorizes them to use a logo,
phishers immediately certify their mail with that logo?
Yes. But that logo will be in the body of the message, not in the
MUA where it would be for a real bank messge.
Think web browser-ssl-padlock or web browser coloured address
bar, rather than an attached gif.
Well that implies that every MUA worldwide needs to be upgraded
before this whitelist solution will work.
No. There is immediate benefit to incremental upgrades.
And before that, you have to define a communication protocol to
convey this information from the verifier/whitelist-looker-up/
whatever to the MUA that the Bad Guys cannot spoof.
Yes. This is not rocket science, though, it's a solved problem.
(TLS with a restricted certificate list would be the proof of
principle, but the technical details are out of scope and really
It can't go in the body, because I read all my mail as plain text,
and drop HTML on sight as being sure evidence of spam. And Bad Guys
can write bodies too.
You can't do it in the headers, because Bad Guys can write headers
If we had some standard for signing the body and headers of the
message, such that we could authenticate that the message had been
sent by, or authorised by, some particular domain and
cryptographically demonstrate that the message hadn't been modified
significantly since then then we could solve both of those problems.
You might be able to do it in some special feature of POP3 or IMAP,
but that would mean an upgrade to the POP3 and IMAP protocols, and
some people don'e use POP3 and IMAP anyway (mail arrives at my
machine by SMTP).
We're talking about a third-party domain based whitelist keyed by
cryptographically authenticated (DKIM) sender domains, with
(optional, but valuable) MUA support for querying the whitelist. It
requires nothing more complex than DK and a whitelist.
NOTE WELL: This list operates according to