Michael Ströder wrote: > Daniel Dreymann wrote: > >> CertifiedEmail is a third- party signature system. First we accredit >> senders to establish wether they are good players with a good email >> reputation. Then, once they are accredited, we certify *individual* >> messages, >> > > But this initial accreditation is done once. > Yes, it would be very interesting to know on what basis individual messages are certified...and how should that be any better than S/MIME. It is commonly known that very few spammers actually use their own email addresses and servers, but compromised computers on the Internet.
(Just as a by-note, I know of at least one "legitimate" spammer sending out newsletters and adverts in his real name, email address and his own servers. It makes him kind of interesting since he somehow plays by the rules and anyone can simply block his email address/domain...) > > Well, it really depends on whether, why and how quick you revoke the > initial accreditation. So the same authenticity issues arise like with > what you call a "bless-and-forget CA". It depends on the security > measures really deployed, during the whole certification lifecycle. In that respect it's really useful to limit the validity period to something responsible (not more than one year after which certificates must be re-validated or re-newed). -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
