Anyone can send a spoof through say a misconfigured email server
responsible for that TLD say through remixer, posing as someone on that
network. Just because someone has some 'nifty' tld means absolutely
nothing. If someone truly wants to be held accountable in such fields they
could always use PGP to sign the messages they send. Wait for that to
happen and I'll be a millionaire before it does.
Not to get into an accountability issue here, but in certain professions I
feel digital messages should be signed entirely, it sends a sign of some
form of trust being given/desired. Personally I would love to see people
in office use some form of digital based signature, but that would after
all - hold them accountable. ;O
Not to get into an accountability issue here, but in certain professions I
feel digital messages should be signed entirely,
I entirely agree, but you need both signatures and verifiable addresses.
A PGP or S/MIME signature assures you that the mail definitely came from
the address it purports to come from, but it doesn't tell you whether that
person is who you think it is. That's where limited access domains can
help.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
"I dropped the toothpaste", said Tom, crestfallenly.
If the PGP or S/MIME trust infrastructure is able to tell you that the
mail came from somebody in particular, the domain doesn't matter anymore.
Consider this PGP-signed mail. If your PGP web-of-trust ID's it as me, then
it's me or somebody/something with access to my private key. I could have
posted this from a pay-by-the-hour cyber cafe in Paris, using a created ID on
their mail server for the From:, and PGP would still tell you if it was from me
or not.
If your web-of-trust *doesn't* verify it, it doesn't matter if I'm coming from
a .pro or a .edu or a cyber cafe.
(Note that the same logic applies to S/MIME - the fact that Verisign accepted
money to sign a certificate for foobar.legal.pro doesn't tell you anything
about whether you should actually deal with foobar. All it really proves is
that the news about Foobar's disbarrment hasn't reached the domain registrar
yet....
A PGP or S/MIME signature assures you that the mail definitely came from
the address it purports to come from, but it doesn't tell you whether that
person is who you think it is. That's where limited access domains can
help.
No actually a PGP signature assures you that a particular private key was used to sign a message. It doesn't tell you whether that key belongs to who you think it does. Thus you would verify the key fingerprint via an out of band method (phone, in person, business card). I don't see how a limited access domain helps in binding keys to people, unless the registrars are going to start acting as CAs as well. Anyone can create a PGP key with trustme@fubar.cpa.pro as an associated email address.
an out of band method (phone, in person, business card). I don't see how
a limited access domain helps in binding keys to people, unless the
registrars are going to start acting as CAs as well. Anyone can create a
PGP key with trustme@fubar.cpa.pro as an associated email address.
The .pro website said they were going to do certs, but at this point it
seems unlikely that they'll do anything.
It's somewhat harder (not impossible, somewhat harder) to get a
bogus S/MIME cert since the issuers all do at least perfuntory mailback
verification.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
"I dropped the toothpaste", said Tom, crestfallenly.