On Dec 13, 3:25 am, Brad Hards <[EMAIL PROTECTED]> wrote: > Is it really "EV" equivalent? Is there really enough rigour being applied to > make sure these people are "really nice and friendly"? How doesgoodmail > make sure it isn't being spoofed?
The embedded certificate is only a tool. CertifiedEmail is a third- party signature system. First we accredit senders to establish wether they are good players with a good email reputation. Then, once they are accredited, we certify *individual* messages, i.e. senders request a "token" which includes our signature for every message they desire to send. This provides us with real-time control which is necessary to ensure CertifiedEmail is not abused. These tokens are cryptographically checked by the recipient and matched to the message. Contrast that with a CA who vets a sender *once* and grants them a certificate that would allow them to sign as many messages as they want for a year. CertifiedEmail has built-in real-time security mechanisms not available to a bless-and-forget CA. Mailbox providers who use CertifiedEmail and control the UI (e.g. webmail) show a CE trust icon next to CE messages. We will release next year a plug-in for Outlook Express that does the same. We will support an open source effort to develop a similar plug-in for Thunderbird. > Maybe, but you need to do the "who the hell are these guys" investigation > first. I'm happy to answer any questions here. Daniel Dreymann CEO & Co-Founder, Goodmail Systems _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
