James A. Donald wrote:
> In order for this to actually be any use, the recipient
> needs to verify the signature and do something on the
> basis of that signature - presumably whitelist email
> that genuinely comes from well known domains.
> Unfortunately, the MTA cannot reliably do something - if
> it drops unsigned mail that is fairly disastrous, and
> the MUA cannot reliably check signatures, since the MTA
> is apt to mess the signatures up.

so what if an isp only signs email where the origin address is the same
as the claimed email "from" address.

then email that claims to be from such an isp, that isn't
signed, might assumed to be impersonation.

and any "abuse" reports to the isp ...where the email has been signed
... should at least trace back to the correct originating account.

ISPs could do ingress filtering where they only process incoming email
from their customers ... where the origin address matches the email
"from" address ... which would eliminate their customers from
impersonating other addresses ... but doesn't preclude customers at
non-participating ISPs from impersonating their customers.

ISPs could also start to quarentine unsigned email that claims to have
originated from ISPs that are known to sign email.

it might be considered to be small step up from ssl domain
name digital certificates ... where the browser checks that
the domain name in the URL is the same as the URL in the
certificate. the issue in the ssl domain name scenario is
some common use where the user has little or no awareness
of the domain name in the URL  .... so the fact that the
actual domain name matches the domain name in the certificate
may bring little additional benefit.

lots of past collected posts mentioning ssl domain name
certificates ... some of the posts mentioning merchant
comfort digital certificates

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to