Troels Jakobsen wrote: > Situation 1 is infeasible, since it requires all ordinary users to > obtain a certificate to use as signature. The procedure of obtaining > the certificate is non-trivial, costs money, and can't be automated, > since the CA (cert. authority) guarantees the identity of the owner. > If you could automatically get a certificate it would be worthless.
Anyone can get a free email cert from Thawte. Non-trivial as you mention (find the site, find the freemail page on the site, fill in the forms, respond to email, wait, save and import cert into browser), but anyone with a working email address can do it. > Situation 2 is undoubtedly feasible, and I suppose some spam filters > use a signature as proof of validity. It's just that so few emails are > actually signed that it makes no difference. And there's nothing stopping spammers from getting a cert should such a filtering method prove effective. _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
