Signed headers (was Re: Evolution signatures)

Thomas Sjögren thomas@northernsecurity.net
Wed Aug 6 20:38:03 2003


--9jxsPFA5p3P2qPhR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 06, 2003 at 09:12:22AM -0400, darren chamberlain wrote:
> Would that be host-id of the sender's machine, or the mailhost, or one
> of the servers along the way?  The only one that makes sense (to me) is
> the hostid of the originating machine.=20

Yes, the host-id of the originating machine makes the most sense.

> But, oops, wait, there's
> firewalls in the way, so you can't check hostids.

I can verify your mail signature and i'm behind a firewall. Oops,
according to you that isn't possible. Is it magic?! No, it's public key
crypto!
(and please _don't_ mind the troll:)

> Oh yeah, and I'm
> sending this message from a kiosk in an internet cafe, and er, I almost
> forgot, we have a farm of machines as a mailhost.

If you're sending mail from a public place (internet cafe, whatever)
host-ids won't do you any good, that is correct. but i don't know anyone
that brings there gpg-keys to a public place and sends confidential (or
private or ... ) mail.

> Not that I disagree with you, though -- I think a hostid should be part
> of each Recieved header, which should be verified on a host-by-host
> basis (i.e., each successive host in the path verifies the key of the
> host that contacted it), perhaps with an ever growing checksum of those
> hostids that each machine along the way verifies and then appends to
> (such that a machine could verify the checksum for each set of recieved
> headers).  But that's just my take on it. ;)

=2E.. or a similar system that exists for GPG/PGP public keys could be
used, but instead of personal public keys we distribute host public keys
to verify the host-id in the headers.

/Thomas
--=20
=3D=3D thomas@northernsecurity.net | thomas@se.linux.org
=3D=3D 3367 0D84 444B D5B6 980E 7D5D 1209 639D 114A A85C
--

--9jxsPFA5p3P2qPhR
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/MUtBEgljnRFKqFwRAlvXAKCLNngXYIT0umeiynbnwv/tgtynBACg1nkn
n3zKYQ0k5X/xih+pDKcUXuE=
=y8Zb
-----END PGP SIGNATURE-----

--9jxsPFA5p3P2qPhR--