On Fri, 26 Sep 2003, Nadav Har'El wrote: > On Thu, Sep 25, 2003, Moshe Kaminsky wrote about "Re: mail origin verification": > > That's what I meant. The fact that some technion address appear in the > > headers is not a big consolation. If you send the mail from your own > > machine, it might come from localhost.localdomain (as it does in my > > case). Basically, you are saying that people have absolutely no problem > > sending e-mails that appear to come from me. I find it quite amazing. > > Welcome to the world of SMTP (the "Simple Mail Transfer Protocol", the maybe "Welcome to Life?" : I don't understand what is the problem making this with a regular mail. you can always write the source address whatever you want, but the stamps will discover which post office really sent the letter. this is a problem of mailing system.
> standard protocol used to send mail on the Internet). Circa 1992 I used > to amaze my friends (those who studied in the Technion and had email > addresses, that is) by sending them email "from" [EMAIL PROTECTED] > Nothing has changed since... > > PGP (or the freeer GPG) is a good solution for mail authentication (and > privacy) that lets you "sign" your email in an unfakeable fashing, and yet > does not require central authentication [1]. It is not trivial to understand > PGP's concepts, but if you are willing to spend a few hours learning them > you might actually like it. And best of all, GPG is free software. > > Just watch out: do you really want each and every one of your emails to > be 100% traceable to you? After sending fakable email forso many years, > I got used to it, and I actually started to get scared that people could > prove that I sent a certain email. Sometimes I write stupid things on > this list - why would I want not to be able to deny that I wrote them? :) > This is why I never sign my outgoing email, even though I'm perfectly > capable technically to do so. I do sign other things that I deem important > enough - like free software packages I publish. I think we had this discussion > on this list a while ago, so I won't continue further. > > and now for the Educational Footnote of the week ;) > > [1] An example of central authentication is government-issued ID cards > or driver licenses. Another example are credit-cards issued by certain > large (and supposedly trustworthy) companies. Yet another example (on the > Internet) are SSL certificates issued by certain companies called "certificate > authorities" (CAs). The problem with all those centralized schemes is that > they require a central entity to authorize you - this usually requires > significant fees, and a significant amount of effort and red-tape to set up. > > Decentralized systems like PGP, on the other hand, let anyone invent their > own unique identity (or several such identities). How does that help in > authentication you might ask? Well, the "trick" is that nobody trusts just > any random identity shown to them - you only recognize the identities sent > to you by friends you know from real-life and you previously got their > PGP identities from secure channels (like face-to-face meetings). Also, > if your friends recognize other people, you can recognize (to a slightly > less degree of confidence) your friends' friends', and so on. This is > called a Web of Trust. > > For example, I recognize Muli's key because he showed it to me when we > were in last year's August Penguin event. Muli might have signed with his > key a statement that he knows Linus Torvalds' key because he (may have) > met Linus in a conference last month. Now, if Linus Torvalds sends me > a signed email, I can recognize his signature to be genuine (with a certain > degree of confidence) - even though I never met him before, and no central > authority has decreed this signature to be authentic. > > All the operations I mentioned above are made secure and unfakable by using > public-key cryptography (it's a very interesting mathematical subject, > really, you'll like it ;)). > > -- > Nadav Har'El | Friday, Sep 26 2003, 29 Elul 5763 > [EMAIL PROTECTED] |----------------------------------------- > Phone: +972-53-790466, ICQ 13349191 |I had a lovely evening. Unfortunately, > http://nadav.harel.org.il |this wasn't it. - Groucho Marx > > ================================================================= > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] > > ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
