Maybe this is news only to me. :-) Today I received an email from a nationally known merchant with whom I have done a lot of business. The mail headers included a number of things I had never seen before (shown below). A very brief examination showed that those headers included these items, all base 64-encoded:
- an X.509v1 certificate w/ a 768 bit public key and a 2k bit signature - a 768-bit signature (bare RSA signature) - two SHA1 hashes (h & b) - a copy of the sender's From: address string (f) and other values, not base64 encoded, such as: - two date/time stamps (e and d) - other values not yet decoded Visits to these URLs http://goodmailsystems.com/ http://www.certifiedemail.net/ http://www.certifiedemail.net/what-is-certified-email.php revealed that this is a new system of digitally signed emails that are (or will soon be) recognized and validated by popular webmail hosting sites (e.g. Yahoo, AOL, various cable internet and DSL service providers), and may be sent only by "companies, non-profits or governmental agencies that meet a strict set of criteria" -- approximately the same sorts of entities that might be eligible to receive EV certificates. IOW, this is EV signed email, using a proprietary format/protocol but pretty normal looking PKI. The cert's subject was goodmail systems, not the merchant whose From: address was borne in the mail. Maybe goodmail signs the emails on behalf of the merchants. The whole point of it seems to be to get consumers to overcome their reluctance to click on links in emails (which consumers have learned from their phishing experiences), and click-through in emails from the signers. According to the flash demo in the page cited above, the web hosting companies' web sites will show special UI for messages so signed, indicating to the user that such messages are "real" (apparently meaning "safe and trustworthy"). So, one wonders: - Does signed email become something only EV-eligible parties can send? - Does this kill S/MIME? or - Should we enlist the CABForum to issue EV certs for email, and promote a competing system based on S/MIME, for use in mail clients such as ThunderBird and Outlook Express (or its Vista equivalent), and try to keep S/MIME alive? - or maybe: if you can't beat 'em, join 'em? That is, add this format to Thunderbird as an alternative format for signed email? Email headers: > X-Goodmailsystems-Sig: > kpJ8dUC8sqbiJbjFn1jHLIl+aefx3ql5s6ghkg3Bl85FwNvG702VB56P > RBiU8KxZUXBg3dYDUxSX3JRmen085/TCnn5/4Jbe48Io2P19hUHLpOFrxS0eM1ZyObOUFP7g > X-Goodmailsystems-Entity: FTD, Inc > X-Goodmailsystems-Cert: > MIICcjCCAVoCBBAAABwwDQYJKoZIhvcNAQEFBQAwIDEeMBwGA1UEAxM > > VU0NBOlgtR29vZG1haWxTeXN0ZW1zMB4XDTA3MTAxNTAwMDAwMFoXDTA4MDcwNzAwMDAwMFowgYIxCzA > > JBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzERMA8GA1UEChMIR29 > > vZG1haWwxEzARBgNVBAMTCk9wZXJhdGlvbnMxJjAkBgkqhkiG9w0BCQEWF29wc0Bnb29kbWFpbHN5c3R > > lbXMuY29tMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMUp56mfKZhynbHYCSZ6lVUrWHDCSV0B0yeHkXA > > yfbCLXv4lBBFNWO5rw8dlH56WWDUHLC4t6gBmJUyZrWmz4AryPYX5xkEeU8gRBVaP84ESbH0toeA7FpK > > jqSkGLxgCewIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBAN82LIXa4PJu+Uy5lpG9fxD2yD9h+K5Kbn4w > > 4YEj4m1voTCKzjYG/tEH6C4BeFhUwtJ5RrvfXXb/R2PhIQYII4xKTh/MSlllyVk0QDoWvup8e90XCDST > > kEt7tax/kvzJqI7wog9CbcQfERHh8i4uyBODPyB3VuuqzqTresGjn1MQoBr7nDvyTuP4E3CWFrzNaf4s > > cPbjCVDxY1KSqt8Ef4F39U4EctQTeQuDvFUUX+ZP6efhnCkBmobX0G2yFeHAuyLmNXfaCaUIHCt/eE1K > CNRewxPym2rEJc9C+TTx692ldYk2NNHd6XuDFdl6+pzHpLBwgcNnbTSabrxdeTFCQ > X-Goodmailsystems: 2; i="1"; > s="00003F5400003F5400000001476098F5EB0208A00000025600000024000027CA"; > e="20071216T022909"; d="20071213T022909"; o="16212"; t="1"; p="4"; > h="+mDiM0Tmdm3ttHLK0xJ2/xi6daM="; b="maXxhhjAw1vEhSbxmrKo3Aiv/wE="; > f="Ij0/VVRGLTg/UT9GVEQ9MkVjb20/PSIgPGxpbHlAbWFpbGZyb21mdGQuY29tPg=="; > I="001002000"; Excerpts from cert contents: > Certificate: > Data: > Version: 1 (0x0) > Serial Number: 268435484 (0x1000001c) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=SCA:X-GoodmailSystems" > Validity: > Not Before: Mon Oct 15 00:00:00 2007 > Not After : Mon Jul 07 00:00:00 2008 > Subject: "[EMAIL PROTECTED],CN=Operations,O=Goodmail,L=Mounta > in View,ST=CA,C=US" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > c5:29:e7:a9:9f:29:98:72:9d:b1:d8:09:26:7a:95:55: > 2b:58:70:c2:49:5d:01:d3:27:87:91:70:32:7d:b0:8b: > 5e:fe:25:04:11:4d:58:ee:6b:c3:c7:65:1f:9e:96:58: > 35:07:2c:2e:2d:ea:00:66:25:4c:99:ad:69:b3:e0:0a: > f2:3d:85:f9:c6:41:1e:53:c8:11:05:56:8f:f3:81:12: > 6c:7d:2d:a1:e0:3b:16:92:a3:a9:29:06:2f:18:02:7b > Exponent: 65537 (0x10001) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Signature: [...] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
