On Mon, 2016-02-22 at 09:22 +0000, Pete Biggs wrote: > > > > the "Microsoft Infrastructure" uses S/MIME by default, which sends > > certificates. > > Yes - S/MIME works by a "Trusted Third Party" issuing signed Email > Certificates. The only verification done by someone like Comodo when > they issue personal certificates is that the certificate is sent to > the > email address specified. The advantage of S/MIME is that you do not > need to have verified knowledge of the sender's public key in order > to > verify the email - the public key is sent with the message and you > trust the party that signed the key that it belongs to the person you > think it does. The disadvantage is that you put all your trust into > a > third party - it is not unknown for the signing keys from these > "trusted" bodies to go astray and to be abused or that someone has > managed to acquire a signed key for a random email address.
There have also been cases of the Certificate Authority (CA) issuing genuine certificates to imposters. A famous case of Verisign giving out several Microsoft certs a few years ago comes to mind. Such certs are normally revoked when discovered, but revoking is another can of worms in itself and doesn't work all that well. poc _______________________________________________ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
