lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: michael at bluesuperman.com (Michael Gale) Subject: a PGP signed mail? Has to be spam! Hello, But public keys are only valid if you trust them -- the points in just because a person signs a e-mail with a PGP key and the key matches the from address does not mean it is NOT spam. E-mail from spammers do not usually have valid from addresses - so the PGP key can match the fake from addresses with out a problem. So again -- a PGP signed message is as trust worthy as the from address of the spammer is. The only reason my from address did not match my PGP key is because I can not post to the list if my from address is not michael@...esuperman.com Also -- having a mail server check PGP sig's on e-mails it NOT an option -- think of the over head, the delay and time out if the server does not exist or no response. This would cause major mailq build up's and could easier crash a mail system. Anti-spam tools - DCC, Razor, RBL, Bayesian Statistical Token Analysis and then whitelist and blacklist. Not PGP checks. Michael. On Wed, 12 Nov 2003 04:24:11 +0000 "Daniel" <dan@...kedbox.net> wrote: > Michael Gale <michael@...esuperman.com> wrote: > > > Hello, > > > > Do you know how PGP signatures work, you need to have the person > > who > > signed it / created the PGP sig to somehow securely provide you with > > their key to validate it. > > Ummm, no, that is why we have public/private keys. The private key can > be used to sign and the public key used to verify. Yes you can create > a key from an address that is not your own. But if you recieve a > message from bill@...rosoft.com you would exspect a key to say the > same. > > Regards, > Daniel B. > > ---------------------------------------- > Please do not send me Word or PowerPoint attachments. > See http://www.fsf.org/philosophy/no-word-attachments.html > >
Powered by blists - more mailing lists