Re: facebook messages worm

["John C. A. Bambenek, GCIH, CISSP" <bambenek.infosec () gmail com>]

But there is *SOME* benefit.  Granted, many unsophisticated users don't
check the location bar to verify that they are actually at, say,
citibank.com.  But some do.  I would think the same is true for e-mail,
someone would notice this "Facebook" message isn't from facebook.  Of
course, since no authentication is required to submit PGP keys (unless this
has changed) that might not necessarily be true, but that's a process
question, not a technology one. (i.e. verify the e-mail before allowing
someone to submit a key for that email).

For more important messages, such as say, communication from federal courts
(which also include clickable links), you could easily right spam-filter
rules that look for these highly formatted messages and verify they are, in
fact, signed from the US courts.

A thought.  But yes, it's incrementalism. Sometimes that's all we have.

On Thu, Aug 7, 2008 at 11:29 AM, <Valdis.Kletnieks () vt edu> wrote:

> On Thu, 07 Aug 2008 10:58:07 CDT, "John C. A. Bambenek, GCIH, CISSP" said:
>
> > Has anyone heard of digital signatures for e-mail? :)
>
> Well, this RFC probably counts as "prior art" 20 years ago:
>
> 0989 Privacy enhancement for Internet electronic mail: Part I: Message
>     encipherment and authentication procedures. J. Linn. February 1987.
>     (Format: TXT=63934 bytes) (Obsoleted by RFC1040, RFC1113) (Status:
>     UNKNOWN
>
> The *real* problem is that digital signatures for E-mail work in *exactly
> the same way* and provide *the same protection* as SSL does for the Web.
>
> Yes, that's the problem, not the solution statement.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.