What happened to dot pro... (BTW)

• Previous message (by thread): What happened to dot pro... (BTW)
• Next message (by thread): What happened to dot pro... (BTW)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 01 Feb 2004 21:48:47 EST, John R Levine said:

> A PGP or S/MIME signature assures you that the mail definitely came from
> the address it purports to come from, but it doesn't tell you whether that
> person is who you think it is.  That's where limited access domains can
> help.

Umm... no.

If the PGP or S/MIME trust infrastructure is able to tell you that the
mail came from somebody in particular, the domain doesn't matter anymore.

Consider this PGP-signed mail.  If your PGP web-of-trust ID's it as me, then
it's me or somebody/something with access to my private key. I could have
posted this from a pay-by-the-hour cyber cafe in Paris, using a created ID on
their mail server for the From:, and PGP would still tell you if it was from me
or not.

If your web-of-trust *doesn't* verify it, it doesn't matter if I'm coming from
a .pro or a .edu or a cyber cafe.

(Note that the same logic applies to S/MIME - the fact that Verisign accepted
money to sign a certificate for foobar.legal.pro doesn't tell you anything
about whether you should actually deal with foobar.  All it really proves is
that the news about Foobar's disbarrment hasn't reached the domain registrar
yet....

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20040201/4ab2e35e/attachment.sig>

• Previous message (by thread): What happened to dot pro... (BTW)
• Next message (by thread): What happened to dot pro... (BTW)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]