RE: Smells like a phish, is a fish?

["Lyal Collins" <lyal.collins () key2it com au>]

Inline as  [LC]

-----Original Message-----
From: Devdas Bhagat [mailto:devdas () dvb homelinux org] 
Sent: Monday, 31 October 2005 4:47 AM
To: webappsec () securityfocus com
Subject: Re: Smells like a phish, is a fish?


On 29/10/05 16:22 +1000, Lyal Collins wrote:
> We are moving off topic slightly, but I disagree, and agree.
> There is a bigger general problem caused by encrypting email in virtually
> every PKI mechanism.
> 1. Virus and spam control measures fail.

Spam is not about content, even if there are misguided attempts at filtering
based on content. Spam is about consent, and the rejection can safely be
done at the edge.

[LC]
The point is that S/MIME and PGP mail can't be inspected at the email
gateway on the network edge - its encrypted desktop to desktop.
So the only place to manage viruses and spam is at the desktop, a failed
strategy today and in the past.

Lyal

> 2. Corporate access to the content in email is at the discretion of 
> the individual, not the corporate entity. This breaks many corporate 
> laws, and helps IP thft etc.
>
> Signing email does not have these issues, but what's the point of the 
> cost to do that (cert cost, support overheads et al) and not protect 
> the message content from misuse?
>
> There are better email authentication and confidentiality solutions 
> that PKI-based ones.

Such as? Put it on a website and expect things to be collected later? Mail
2000?

Devdas Bhagat