On Wed February 25 2004 10:27, John Stracke wrote:
Dave Aronson wrote:
On Wed February 25 2004 09:53, John Stracke wrote:
Not necessarily. Spam viruses would then start collecting
people's private keys.
Theoretically possible, but at least it would significantly raise
the bar.
Only one person needs to figure out how to do it. Think script
kiddies.
True again, but I still don't think that this additional usage of
private keys would provide sufficient incentive for a virus author.
What do they gain out of snarfing someone's private key, that they
wouldn't gain without this proposal? (For those tuning in late, it has
unfortunately been pushed off the top, but boils down to mailing list
processors being able to require and verify digital signatures on
members' posts.) It nets them the ability to spam digsig-protected
mailing lists that the victim is on, until the victim cleans out the
infection and changes his key. BFD. I suppose some twerp might do so
just because he can, but I don't think this will provide the incentive.
Admittedly, there are *other* existing incentives, and will probably be
more as digitally signed and/or encrypted email becomes more popular
and easier to use, but that's a whole 'nother story. These other
incentives may cause such a virus to be written, and this mechanism may
suffer as a result.
--
Dave Aronson, Senior Software Engineer, Secure Software Inc.
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
(Opinions above NOT those of securesw.com unless so stated!)
WE'RE HIRING developers, auditors, and VP of Prof. Services.