From: darren chamberlain <[EMAIL PROTECTED]>
Date: Tue, 9 Dec 2003 12:07:55 -0500
* Sean Quinlan <sean at quinlan.org> [2003/12/09 11:43]:
> ... I also digitally sign my email, which I don't think a virus is
> capable of???
A virus can be capable of *appearing* to sign a message, but only those
who actually verify signatures will tell if the signature was OK . . .
Two points, equally OT:
1. If your mail user agent remembers your pass phrase for you, then
the virus payload could in principle generate authentic signatures using
your private key. Even if the MUA doesn't remember it, sloppy coding
might allow the malicious code to recover the pass phrase.
2. If the MUA can't find the public key for the signature, either
because it's fictitious, or maybe it's just not published, then it can't
know that the signature is bad. A virus filter could not assume that
the message was bogus in that case, especially if it didn't have access
to your keyring, though whether that justifies decreasing the spam score
is another matter.
About a year ago, there was a discussion on bugtraq about the value
(or lack thereof) of signing outgoing email as a matter of course. One
poster said (and others concurred) that he had checked signatures
regularly at one point, but stopped because he found that *most*
appeared to be invalid for spurious reasons (i.e. transport lossage), so
that greatly diluted their utility. Others argued that signing
everything was a way of publishing one's key data widely enough so that
an impostor would have a hard time getting anyone to fall for a
substitute key. But then, you can get the same effect by putting the
fingerprint in your sig.
-- Bob Rogers
http://rgrjr.dyndns.org/
_______________________________________________
Boston-pm mailing list
[EMAIL PROTECTED]
http://mail.pm.org/mailman/listinfo/boston-pm
