On Thu, Sep 25, 2003, Moshe Kaminsky wrote about "Re: mail origin verification": > That's what I meant. The fact that some technion address appear in the > headers is not a big consolation. If you send the mail from your own > machine, it might come from localhost.localdomain (as it does in my > case). Basically, you are saying that people have absolutely no problem > sending e-mails that appear to come from me. I find it quite amazing.
Welcome to the world of SMTP (the "Simple Mail Transfer Protocol", the standard protocol used to send mail on the Internet). Circa 1992 I used to amaze my friends (those who studied in the Technion and had email addresses, that is) by sending them email "from" [EMAIL PROTECTED] Nothing has changed since... PGP (or the freeer GPG) is a good solution for mail authentication (and privacy) that lets you "sign" your email in an unfakeable fashing, and yet does not require central authentication [1]. It is not trivial to understand PGP's concepts, but if you are willing to spend a few hours learning them you might actually like it. And best of all, GPG is free software. Just watch out: do you really want each and every one of your emails to be 100% traceable to you? After sending fakable email for so many years, I got used to it, and I actually started to get scared that people could prove that I sent a certain email. Sometimes I write stupid things on this list - why would I want not to be able to deny that I wrote them? :) This is why I never sign my outgoing email, even though I'm perfectly capable technically to do so. I do sign other things that I deem important enough - like free software packages I publish. I think we had this discussion on this list a while ago, so I won't continue further. and now for the Educational Footnote of the week ;) [1] An example of central authentication is government-issued ID cards or driver licenses. Another example are credit-cards issued by certain large (and supposedly trustworthy) companies. Yet another example (on the Internet) are SSL certificates issued by certain companies called "certificate authorities" (CAs). The problem with all those centralized schemes is that they require a central entity to authorize you - this usually requires significant fees, and a significant amount of effort and red-tape to set up. Decentralized systems like PGP, on the other hand, let anyone invent their own unique identity (or several such identities). How does that help in authentication you might ask? Well, the "trick" is that nobody trusts just any random identity shown to them - you only recognize the identities sent to you by friends you know from real-life and you previously got their PGP identities from secure channels (like face-to-face meetings). Also, if your friends recognize other people, you can recognize (to a slightly less degree of confidence) your friends' friends', and so on. This is called a Web of Trust. For example, I recognize Muli's key because he showed it to me when we were in last year's August Penguin event. Muli might have signed with his key a statement that he knows Linus Torvalds' key because he (may have) met Linus in a conference last month. Now, if Linus Torvalds sends me a signed email, I can recognize his signature to be genuine (with a certain degree of confidence) - even though I never met him before, and no central authority has decreed this signature to be authentic. All the operations I mentioned above are made secure and unfakable by using public-key cryptography (it's a very interesting mathematical subject, really, you'll like it ;)). -- Nadav Har'El | Friday, Sep 26 2003, 29 Elul 5763 [EMAIL PROTECTED] |----------------------------------------- Phone: +972-53-790466, ICQ 13349191 |I had a lovely evening. Unfortunately, http://nadav.harel.org.il |this wasn't it. - Groucho Marx ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
