Educause Security Discussion mailing list archives
Re: [Spam:5.9 SpamScore] Re: [SECURITY] Please print and post -
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 12 Oct 2010 12:56:37 -0400
On Tue, 12 Oct 2010 12:31:10 EDT, Eme Ejike said:
This brings me to the main point.....Mail Signing or simply some sort of message hash validation.
PGP and S/MIME signatures have both been available for a *long* time (the PGP key this mail is signed with is over a decade old, I have another key from 1994). However, that only provides authentication - it does *not* address the more troublesome issue of authorization. The fact that my mail is PGP-signed and thus presumably from me, doesn't actually tell you what you *wanted* to know - is this a mail that is actually safe to open and read (many will say no, as my mail tends to raise their blood pressure to dangerous levels. :) Equally a problem is that in a software ecosystem where an estimated 140 million machines are compromised, it's hard to validate that the actual user did the signing, as opposed to software with stolen credentials. (The technical reason is that a valid signature doesn't prove the user and the data were in the same place at the same time, it proves that the secret key and the data were together). Unfortunately, there's no really good way to address this unless you use a hardware smart card or token or other 2-factor system. And given that we've totally failed in explaining to users what that little padlock in the corner of their browser screen *really* means, I despair of non-security folk understanding the concept for e-mail.
Attachment:
_bin
Description:
Current thread:
- Please print and post - Dr. Wole Akpose (Oct 11)
- Re: Please print and post - Steven Alexander (Oct 11)
- Re: Please print and post - Bob Bayn (Oct 11)
- Re: Please print and post - John Ladwig (Oct 11)
- Re: Please print and post - Roger Safian (Oct 12)
- Re: Please print and post - CLARKE, JOHN (Oct 12)
- Re: Please print and post - Mclaughlin, Kevin (mclaugkl) (Oct 12)
- Re: Please print and post - David Gillett (Oct 12)
- Re: Please print and post - Dr. Wole Akpose (Oct 18)
- Re: [Spam:5.9 SpamScore] Re: [SECURITY] Please print and post - Eme Ejike (Oct 12)
- Re: [Spam:5.9 SpamScore] Re: [SECURITY] Please print and post - Valdis Kletnieks (Oct 12)
- Re: [Spam:5.9 SpamScore] Re: [SECURITY] Please print and post - Eme Ejike (Oct 12)
- Re: Please print and post - Eme Ejike (Oct 12)
- Re: Please print and post - Bob Bayn (Oct 11)
- Re: Please print and post - Steven Alexander (Oct 11)