Daniel Veditz wrote:
Troels Jakobsen wrote:Here we are speaking about Thawte's (and the same applies to most CA's) least trustworthy type of certificates - which is more or less a demo thing containing only email address, not even a name. (We would probably want to ignore these freemail certificates either through distinguishing their CA Root Certificates or their types or requiring to have a name in the certificate.)
Situation 1 is infeasible, since it requires all ordinary users to
obtain a certificate to use as signature. The procedure of obtaining
the certificate is non-trivial, costs money, and can't be automated,
since the CA (cert. authority) guarantees the identity of the owner.
If you could automatically get a certificate it would be worthless.
Anyone can get a free email cert from Thawte. Non-trivial as you mention
(find the site, find the freemail page on the site, fill in the forms,
respond to email, wait, save and import cert into browser), but anyone with
a working email address can do it.
Situation 2 is undoubtedly feasible, and I suppose some spam filters
use a signature as proof of validity. It's just that so few emails are
actually signed that it makes no difference.
And there's nothing stopping spammers from getting a cert should such a
filtering method prove effective.
If you want to have a "real" certificate with your name on it you have to establish your identity through "Thawte Notaries" and/or the "Thawte Web of Trust". This would not be so easy for the spammers to get through.
Tomas _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
