North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: What happened to dot pro... (BTW)

  • From: Valdis.Kletnieks
  • Date: Sun Feb 01 22:58:10 2004

On Sun, 01 Feb 2004 21:48:47 EST, John R Levine said:

> A PGP or S/MIME signature assures you that the mail definitely came from
> the address it purports to come from, but it doesn't tell you whether that
> person is who you think it is.  That's where limited access domains can
> help.

Umm... no.

If the PGP or S/MIME trust infrastructure is able to tell you that the
mail came from somebody in particular, the domain doesn't matter anymore.

Consider this PGP-signed mail.  If your PGP web-of-trust ID's it as me, then
it's me or somebody/something with access to my private key. I could have
posted this from a pay-by-the-hour cyber cafe in Paris, using a created ID on
their mail server for the From:, and PGP would still tell you if it was from me
or not.

If your web-of-trust *doesn't* verify it, it doesn't matter if I'm coming from
a .pro or a .edu or a cyber cafe.

(Note that the same logic applies to S/MIME - the fact that Verisign accepted
money to sign a certificate for doesn't tell you anything
about whether you should actually deal with foobar.  All it really proves is
that the news about Foobar's disbarrment hasn't reached the domain registrar

Attachment: pgp00002.pgp
Description: PGP signature