No, this is news to me too, Nelson. So, if I understand this correctly, the primary difference between what this message contains and S/MIME is that they chose to use a proprietary format for securing the e-mail as opposed to an industry standard that has been around for nearly 2 decades and is implemented in every major MUA.
Since they could have implemented the exact same business capability using S/MIME, it sounds like this scheme was created to only lock in merchants. Doesn't appear to add any new value to the field of security. Heaven forbid that someone might figure out that they can achieve the same effect with open-source libraries and one signing certificate for less than $100 per year. Arshad Noor StrongAuth, Inc. Nelson Bolyard wrote: > Maybe this is news only to me. :-) > > Today I received an email from a nationally known merchant with whom I > have done a lot of business. The mail headers included a number of > things I had never seen before (shown below). A very brief examination > showed that those headers included these items, all base 64-encoded: > > - an X.509v1 certificate w/ a 768 bit public key and a 2k bit signature > - a 768-bit signature (bare RSA signature) > - two SHA1 hashes (h & b) > - a copy of the sender's From: address string (f) > > and other values, not base64 encoded, such as: > - two date/time stamps (e and d) > - other values not yet decoded > > Visits to these URLs > http://goodmailsystems.com/ > http://www.certifiedemail.net/ > http://www.certifiedemail.net/what-is-certified-email.php > revealed that this is a new system of digitally signed emails that are > (or will soon be) recognized and validated by popular webmail hosting > sites (e.g. Yahoo, AOL, various cable internet and DSL service > providers), and may be sent only by "companies, non-profits or > governmental agencies that meet a strict set of criteria" -- > approximately the same sorts of entities that might be eligible to > receive EV certificates. > > IOW, this is EV signed email, using a proprietary format/protocol but > pretty normal looking PKI. The cert's subject was goodmail systems, > not the merchant whose From: address was borne in the mail. Maybe > goodmail signs the emails on behalf of the merchants. > > The whole point of it seems to be to get consumers to overcome their > reluctance to click on links in emails (which consumers have learned > from their phishing experiences), and click-through in emails from the > signers. According to the flash demo in the page cited above, the web > hosting companies' web sites will show special UI for messages so > signed, indicating to the user that such messages are "real" (apparently > meaning "safe and trustworthy"). > > So, one wonders: > - Does signed email become something only EV-eligible parties can send? > - Does this kill S/MIME? or > - Should we enlist the CABForum to issue EV certs for email, and promote > a competing system based on S/MIME, for use in mail clients such as > ThunderBird and Outlook Express (or its Vista equivalent), and try > to keep S/MIME alive? > - or maybe: if you can't beat 'em, join 'em? That is, add this format > to Thunderbird as an alternative format for signed email? > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
