home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.tcp-ip
- Path: sparky!uunet!shearson.com!snark!pmetzger
- From: pmetzger@snark.shearson.com (Perry E. Metzger)
- Subject: Re: SMTP mail
- Message-ID: <1992Jul29.152351.23424@shearson.com>
- Sender: news@shearson.com (News)
- Organization: /usr/local/lib/news/organization
- References: <92209.190519KKEYTE@ESOC.BITNET> <1992Jul29.021534.6708@mp.cs.niu.edu> <92211.092548KKEYTE@ESOC.BITNET>
- Date: Wed, 29 Jul 1992 15:23:51 GMT
- Lines: 36
-
- In article <92211.092548KKEYTE@ESOC.BITNET> Karl Keyte <KKEYTE@ESOC.BITNET> writes:
- >
- >& that's not a security hole? It is if you want to believe mail that you
- >receive. Paper mail is usually signed.
-
- And you are enough of an expert on handwriting that you can check the
- signatures of all the mail you get and know its really from the
- person, eh? Keep reference signatures for everyone you correspond
- with, too, I assume. Good trick. I can forge most people's signatures
- with about 2 minutes of practice, not significantly more effort than
- it takes to forge SMTP mail. Paper mail is just as insecure as EMail,
- if not more so because almost anyone can forge paper mail but it takes
- someone who groks SMTP to forge email.
-
- >The point is, SMTP is stupidly simple (as we all know) in it's
- >"authentication".
-
- Relying on paper signatures is also stupidly simple. Signatures are
- not there on legal documents as an identity verification, you know,
- but as proof of concent; if you sign (and its shown that you indeed
- were the one who signed) its taken to mean that you understood you
- were entering in to a contract. If you want identity verification you
- are supposed to go to a notary public.
-
- >My question still stands.
-
- Look, if you want real authentication, you need to go to public key
- cryptography. You won't find any other technique that really works,
- and you aren't going to find PEM implementations that interoperate on
- your platforms. Fine, shut off SMTP and deprive your users of a
- valuable service if you like, but you aren't doing them any favors.
- --
- Perry Metzger pmetzger@shearson.com
- --
- Just say "NO!" to death and taxes.
- Extropian and Proud.
-