Nelson Bolyard wrote:
There is something out there called Domain Signatures (I think), which is meant to be processed by your Email ISP and converted into something that supposedly you trust.Maybe this is news only to me. :-)
The push for this is the need to get 'quiet' signatures because some browsers treat signed email like something to watch out for ("Warning: this email is signed, are you sure you want to open it?").
Anyway the how scheme is based on Secure DNS, which is why it hasn't gotten much noise outside the PKI academic community.
bob
Today I received an email from a nationally known merchant with whom I have done a lot of business. The mail headers included a number of things I had never seen before (shown below). A very brief examination showed that those headers included these items, all base 64-encoded: - an X.509v1 certificate w/ a 768 bit public key and a 2k bit signature - a 768-bit signature (bare RSA signature) - two SHA1 hashes (h & b) - a copy of the sender's From: address string (f) and other values, not base64 encoded, such as: - two date/time stamps (e and d) - other values not yet decoded Visits to these URLs http://goodmailsystems.com/ http://www.certifiedemail.net/ http://www.certifiedemail.net/what-is-certified-email.php revealed that this is a new system of digitally signed emails that are (or will soon be) recognized and validated by popular webmail hosting sites (e.g. Yahoo, AOL, various cable internet and DSL service providers), and may be sent only by "companies, non-profits or governmental agencies that meet a strict set of criteria" -- approximately the same sorts of entities that might be eligible to receive EV certificates. IOW, this is EV signed email, using a proprietary format/protocol but pretty normal looking PKI. The cert's subject was goodmail systems, not the merchant whose From: address was borne in the mail. Maybe goodmail signs the emails on behalf of the merchants. The whole point of it seems to be to get consumers to overcome their reluctance to click on links in emails (which consumers have learned from their phishing experiences), and click-through in emails from the signers. According to the flash demo in the page cited above, the web hosting companies' web sites will show special UI for messages so signed, indicating to the user that such messages are "real" (apparently meaning "safe and trustworthy"). So, one wonders: - Does signed email become something only EV-eligible parties can send? - Does this kill S/MIME? or - Should we enlist the CABForum to issue EV certs for email, and promote a competing system based on S/MIME, for use in mail clients such as ThunderBird and Outlook Express (or its Vista equivalent), and try to keep S/MIME alive? - or maybe: if you can't beat 'em, join 'em? That is, add this format to Thunderbird as an alternative format for signed email? Email headers:X-Goodmailsystems-Sig: kpJ8dUC8sqbiJbjFn1jHLIl+aefx3ql5s6ghkg3Bl85FwNvG702VB56P RBiU8KxZUXBg3dYDUxSX3JRmen085/TCnn5/4Jbe48Io2P19hUHLpOFrxS0eM1ZyObOUFP7g X-Goodmailsystems-Entity: FTD, Inc X-Goodmailsystems-Cert: MIICcjCCAVoCBBAAABwwDQYJKoZIhvcNAQEFBQAwIDEeMBwGA1UEAxM VU0NBOlgtR29vZG1haWxTeXN0ZW1zMB4XDTA3MTAxNTAwMDAwMFoXDTA4MDcwNzAwMDAwMFowgYIxCzA JBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzERMA8GA1UEChMIR29 vZG1haWwxEzARBgNVBAMTCk9wZXJhdGlvbnMxJjAkBgkqhkiG9w0BCQEWF29wc0Bnb29kbWFpbHN5c3R lbXMuY29tMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMUp56mfKZhynbHYCSZ6lVUrWHDCSV0B0yeHkXA yfbCLXv4lBBFNWO5rw8dlH56WWDUHLC4t6gBmJUyZrWmz4AryPYX5xkEeU8gRBVaP84ESbH0toeA7FpK jqSkGLxgCewIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBAN82LIXa4PJu+Uy5lpG9fxD2yD9h+K5Kbn4w 4YEj4m1voTCKzjYG/tEH6C4BeFhUwtJ5RrvfXXb/R2PhIQYII4xKTh/MSlllyVk0QDoWvup8e90XCDST kEt7tax/kvzJqI7wog9CbcQfERHh8i4uyBODPyB3VuuqzqTresGjn1MQoBr7nDvyTuP4E3CWFrzNaf4s cPbjCVDxY1KSqt8Ef4F39U4EctQTeQuDvFUUX+ZP6efhnCkBmobX0G2yFeHAuyLmNXfaCaUIHCt/eE1K CNRewxPym2rEJc9C+TTx692ldYk2NNHd6XuDFdl6+pzHpLBwgcNnbTSabrxdeTFCQ X-Goodmailsystems: 2; i="1"; s="00003F5400003F5400000001476098F5EB0208A00000025600000024000027CA"; e="20071216T022909"; d="20071213T022909"; o="16212"; t="1"; p="4"; h="+mDiM0Tmdm3ttHLK0xJ2/xi6daM="; b="maXxhhjAw1vEhSbxmrKo3Aiv/wE="; f="Ij0/VVRGLTg/UT9GVEQ9MkVjb20/PSIgPGxpbHlAbWFpbGZyb21mdGQuY29tPg=="; I="001002000";Excerpts from cert contents:Certificate: Data: Version: 1 (0x0) Serial Number: 268435484 (0x1000001c) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=SCA:X-GoodmailSystems" Validity: Not Before: Mon Oct 15 00:00:00 2007 Not After : Mon Jul 07 00:00:00 2008 Subject: "[EMAIL PROTECTED],CN=Operations,O=Goodmail,L=Mounta in View,ST=CA,C=US" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: c5:29:e7:a9:9f:29:98:72:9d:b1:d8:09:26:7a:95:55: 2b:58:70:c2:49:5d:01:d3:27:87:91:70:32:7d:b0:8b: 5e:fe:25:04:11:4d:58:ee:6b:c3:c7:65:1f:9e:96:58: 35:07:2c:2e:2d:ea:00:66:25:4c:99:ad:69:b3:e0:0a: f2:3d:85:f9:c6:41:1e:53:c8:11:05:56:8f:f3:81:12: 6c:7d:2d:a1:e0:3b:16:92:a3:a9:29:06:2f:18:02:7b Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: [...]_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
