Oh well....maybe I'll come of with yet another standard: StartComVerySecureAndGoodEVCompatibleSSL/SMIME Please add my super secure standard to NSS and add a specially colored UI indicator to ThunderBird and Firefox (prefered color is green). Much appreciated.
Nelson Bolyard wrote: > Maybe this is news only to me. :-) > > Today I received an email from a nationally known merchant with whom I > have done a lot of business. The mail headers included a number of > things I had never seen before (shown below). A very brief examination > showed that those headers included these items, all base 64-encoded: > > - an X.509v1 certificate w/ a 768 bit public key and a 2k bit signature > - a 768-bit signature (bare RSA signature) > - two SHA1 hashes (h & b) > - a copy of the sender's From: address string (f) > > and other values, not base64 encoded, such as: > - two date/time stamps (e and d) > - other values not yet decoded > > Visits to these URLs > http://goodmailsystems.com/ > http://www.certifiedemail.net/ > http://www.certifiedemail.net/what-is-certified-email.php > revealed that this is a new system of digitally signed emails that are > (or will soon be) recognized and validated by popular webmail hosting > sites (e.g. Yahoo, AOL, various cable internet and DSL service > providers), and may be sent only by "companies, non-profits or > governmental agencies that meet a strict set of criteria" -- > approximately the same sorts of entities that might be eligible to > receive EV certificates. > > IOW, this is EV signed email, using a proprietary format/protocol but > pretty normal looking PKI. The cert's subject was goodmail systems, > not the merchant whose From: address was borne in the mail. Maybe > goodmail signs the emails on behalf of the merchants. > > The whole point of it seems to be to get consumers to overcome their > reluctance to click on links in emails (which consumers have learned > from their phishing experiences), and click-through in emails from the > signers. According to the flash demo in the page cited above, the web > hosting companies' web sites will show special UI for messages so > signed, indicating to the user that such messages are "real" (apparently > meaning "safe and trustworthy"). > > So, one wonders: > - Does signed email become something only EV-eligible parties can send? > - Does this kill S/MIME? or > - Should we enlist the CABForum to issue EV certs for email, and promote > a competing system based on S/MIME, for use in mail clients such as > ThunderBird and Outlook Express (or its Vista equivalent), and try > to keep S/MIME alive? > - or maybe: if you can't beat 'em, join 'em? That is, add this format > to Thunderbird as an alternative format for signed email? > > Email headers: > > >> X-Goodmailsystems-Sig: >> kpJ8dUC8sqbiJbjFn1jHLIl+aefx3ql5s6ghkg3Bl85FwNvG702VB56P >> RBiU8KxZUXBg3dYDUxSX3JRmen085/TCnn5/4Jbe48Io2P19hUHLpOFrxS0eM1ZyObOUFP7g >> X-Goodmailsystems-Entity: FTD, Inc >> X-Goodmailsystems-Cert: >> MIICcjCCAVoCBBAAABwwDQYJKoZIhvcNAQEFBQAwIDEeMBwGA1UEAxM >> >> VU0NBOlgtR29vZG1haWxTeXN0ZW1zMB4XDTA3MTAxNTAwMDAwMFoXDTA4MDcwNzAwMDAwMFowgYIxCzA >> >> JBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzERMA8GA1UEChMIR29 >> >> vZG1haWwxEzARBgNVBAMTCk9wZXJhdGlvbnMxJjAkBgkqhkiG9w0BCQEWF29wc0Bnb29kbWFpbHN5c3R >> >> lbXMuY29tMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMUp56mfKZhynbHYCSZ6lVUrWHDCSV0B0yeHkXA >> >> yfbCLXv4lBBFNWO5rw8dlH56WWDUHLC4t6gBmJUyZrWmz4AryPYX5xkEeU8gRBVaP84ESbH0toeA7FpK >> >> jqSkGLxgCewIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBAN82LIXa4PJu+Uy5lpG9fxD2yD9h+K5Kbn4w >> >> 4YEj4m1voTCKzjYG/tEH6C4BeFhUwtJ5RrvfXXb/R2PhIQYII4xKTh/MSlllyVk0QDoWvup8e90XCDST >> >> kEt7tax/kvzJqI7wog9CbcQfERHh8i4uyBODPyB3VuuqzqTresGjn1MQoBr7nDvyTuP4E3CWFrzNaf4s >> >> cPbjCVDxY1KSqt8Ef4F39U4EctQTeQuDvFUUX+ZP6efhnCkBmobX0G2yFeHAuyLmNXfaCaUIHCt/eE1K >> CNRewxPym2rEJc9C+TTx692ldYk2NNHd6XuDFdl6+pzHpLBwgcNnbTSabrxdeTFCQ >> X-Goodmailsystems: 2; i="1"; >> s="00003F5400003F5400000001476098F5EB0208A00000025600000024000027CA"; >> e="20071216T022909"; d="20071213T022909"; o="16212"; t="1"; p="4"; >> h="+mDiM0Tmdm3ttHLK0xJ2/xi6daM="; b="maXxhhjAw1vEhSbxmrKo3Aiv/wE="; >> f="Ij0/VVRGLTg/UT9GVEQ9MkVjb20/PSIgPGxpbHlAbWFpbGZyb21mdGQuY29tPg=="; >> I="001002000"; >> > > Excerpts from cert contents: > > >> Certificate: >> Data: >> Version: 1 (0x0) >> Serial Number: 268435484 (0x1000001c) >> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption >> Issuer: "CN=SCA:X-GoodmailSystems" >> Validity: >> Not Before: Mon Oct 15 00:00:00 2007 >> Not After : Mon Jul 07 00:00:00 2008 >> Subject: "[EMAIL PROTECTED],CN=Operations,O=Goodmail,L=Mounta >> in View,ST=CA,C=US" >> Subject Public Key Info: >> Public Key Algorithm: PKCS #1 RSA Encryption >> RSA Public Key: >> Modulus: >> c5:29:e7:a9:9f:29:98:72:9d:b1:d8:09:26:7a:95:55: >> 2b:58:70:c2:49:5d:01:d3:27:87:91:70:32:7d:b0:8b: >> 5e:fe:25:04:11:4d:58:ee:6b:c3:c7:65:1f:9e:96:58: >> 35:07:2c:2e:2d:ea:00:66:25:4c:99:ad:69:b3:e0:0a: >> f2:3d:85:f9:c6:41:1e:53:c8:11:05:56:8f:f3:81:12: >> 6c:7d:2d:a1:e0:3b:16:92:a3:a9:29:06:2f:18:02:7b >> Exponent: 65537 (0x10001) >> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption >> Signature: [...] >> > > > > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
