Greg Rose writes:
> At 22:09 21/08/1999 -0400, Russell Nelson wrote:
> >I've been thinking about cryptographic signing of messages at the mail
> >transfer agent level. I can think of how to do it, but I'm not sure
> >what problem it solves. :) Anyone have any ideas?
>
> Signing messages at the MTA level solves no problem at all unless there's a
> widely deployed PKI.
Because of man in the middle attacks? You could supply a public key
in the SMTP server banner, but that doesn't help if someone is fudging
things in the middle. Encryption would help, though, wouldn't it? Of
course, you've got a nasty bit of known plaintext right at the
beginning: "Received:"
Actually, if your sole threat model is "telnet mail.example.com 25",
then *any* kind of crypto helps. :) And if I go down in history for
any quote at all, it should be: "Crypto without a threat model is like
cookies without milk."
--
-russ nelson <[EMAIL PROTECTED]> http://russnelson.com
Crynwr sells support for free software | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | can outdo them. Homeschool!
