Re: What happened to dot pro... (BTW)
Anyone can send a spoof through say a misconfigured email server responsible for that TLD say through remixer, posing as someone on that network. Just because someone has some 'nifty' tld means absolutely nothing. If someone truly wants to be held accountable in such fields they could always use PGP to sign the messages they send. Wait for that to happen and I'll be a millionaire before it does. Not to get into an accountability issue here, but in certain professions I feel digital messages should be signed entirely, it sends a sign of some form of trust being given/desired. Personally I would love to see people in office use some form of digital based signature, but that would after all - hold them accountable. ;O =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net "Men have been taught that it is a virtue to agree with others. But the creator is the man who disagrees. Men have been taught that it is a virtue to swim with the current. But the creator is the man who goes against the current. Men have been taught that it is a virtue to stand together. But the creator is the man who stands alone." -- Ayn Rand
Not to get into an accountability issue here, but in certain professions I feel digital messages should be signed entirely,
I entirely agree, but you need both signatures and verifiable addresses. A PGP or S/MIME signature assures you that the mail definitely came from the address it purports to come from, but it doesn't tell you whether that person is who you think it is. That's where limited access domains can help. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner "I dropped the toothpaste", said Tom, crestfallenly.
On Sun, 01 Feb 2004 21:48:47 EST, John R Levine said:
A PGP or S/MIME signature assures you that the mail definitely came from the address it purports to come from, but it doesn't tell you whether that person is who you think it is. That's where limited access domains can help.
Umm... no. If the PGP or S/MIME trust infrastructure is able to tell you that the mail came from somebody in particular, the domain doesn't matter anymore. Consider this PGP-signed mail. If your PGP web-of-trust ID's it as me, then it's me or somebody/something with access to my private key. I could have posted this from a pay-by-the-hour cyber cafe in Paris, using a created ID on their mail server for the From:, and PGP would still tell you if it was from me or not. If your web-of-trust *doesn't* verify it, it doesn't matter if I'm coming from a .pro or a .edu or a cyber cafe. (Note that the same logic applies to S/MIME - the fact that Verisign accepted money to sign a certificate for foobar.legal.pro doesn't tell you anything about whether you should actually deal with foobar. All it really proves is that the news about Foobar's disbarrment hasn't reached the domain registrar yet....
John R Levine wrote:
A PGP or S/MIME signature assures you that the mail definitely came from the address it purports to come from, but it doesn't tell you whether that person is who you think it is. That's where limited access domains can help.
No actually a PGP signature assures you that a particular private key was used to sign a message. It doesn't tell you whether that key belongs to who you think it does. Thus you would verify the key fingerprint via an out of band method (phone, in person, business card). I don't see how a limited access domain helps in binding keys to people, unless the registrars are going to start acting as CAs as well. Anyone can create a PGP key with trustme@fubar.cpa.pro as an associated email address. Bradley
an out of band method (phone, in person, business card). I don't see how a limited access domain helps in binding keys to people, unless the registrars are going to start acting as CAs as well. Anyone can create a PGP key with trustme@fubar.cpa.pro as an associated email address.
The .pro website said they were going to do certs, but at this point it seems unlikely that they'll do anything. It's somewhat harder (not impossible, somewhat harder) to get a bogus S/MIME cert since the issuers all do at least perfuntory mailback verification. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner "I dropped the toothpaste", said Tom, crestfallenly.
participants (4)
-
Bradley Dunn
-
J. Oquendo
-
John R Levine
-
Valdis.Kletnieks@vt.edu