On Sun, 01 Feb 2004 21:48:47 EST, John R Levine said:
A PGP or S/MIME signature assures you that the mail definitely came from the address it purports to come from, but it doesn't tell you whether that person is who you think it is. That's where limited access domains can help.
Umm... no. If the PGP or S/MIME trust infrastructure is able to tell you that the mail came from somebody in particular, the domain doesn't matter anymore. Consider this PGP-signed mail. If your PGP web-of-trust ID's it as me, then it's me or somebody/something with access to my private key. I could have posted this from a pay-by-the-hour cyber cafe in Paris, using a created ID on their mail server for the From:, and PGP would still tell you if it was from me or not. If your web-of-trust *doesn't* verify it, it doesn't matter if I'm coming from a .pro or a .edu or a cyber cafe. (Note that the same logic applies to S/MIME - the fact that Verisign accepted money to sign a certificate for foobar.legal.pro doesn't tell you anything about whether you should actually deal with foobar. All it really proves is that the news about Foobar's disbarrment hasn't reached the domain registrar yet....