1994-09-28 - Re: Mandatory email verification
Header Data
From: dps@kafka.atinc.com (Doug Shapter)
To: dcwill@ee.unr.edu
Message Hash: ad8ee84b0debc60afb8d3e678b699efbadb227e0d18b73b3a08d8dd5f5cc08fa
Message ID: <9409280832.ZM12030@kafka.atinc.com>
Reply To: <199409272247.RAA18617@pentagon.io.com>
UTC Datetime: 1994-09-28 12:32:17 UTC
Raw Date: Wed, 28 Sep 94 05:32:17 PDT
Raw message
From: dps@kafka.atinc.com (Doug Shapter)
Date: Wed, 28 Sep 94 05:32:17 PDT
To: dcwill@ee.unr.edu
Subject: Re: Mandatory email verification
In-Reply-To: <199409272247.RAA18617@pentagon.io.com>
Message-ID: <9409280832.ZM12030@kafka.atinc.com>
MIME-Version: 1.0
Content-Type: text/plain
Its my understanding that to be truly useful on multi-user
systems, digital signatures require some user input (eg, PGP
requires entering a pass phrase). Sendmail could be hacked
easily
enough to append signatures and to even ask the user for the
requisite pass phrase-- or sendmail can append the signature
automagically, using an environment variable (yuch, just a touch
insecure?) or some other method (a root-owned and executed shell
script).
The first method, having sendmail ask the user for the pass
phrase, is most secure, but also the most inconvienent. For
instance, at our site, we have several distributed
workstations. We send numerous mail messages to each other every
day, and signing each one would be a real pain. To prevent this
sendmail could be hacked to only require signatures on mail
messages addressed outside the domain. This still leaves us back
at the original problem-- one of us could flame the boss and
then
deny the authenticity of the message because it lacked our
signature.
The automagic method is frightfully insecure. Creating an
environment variable transparently requires that the pass phrase
be physically located on the system, instead of the user's
mind. (I wouldn't want to ask users to slip in their "pass
phrase" disk every morning when they log on). There is also a
question of trust-- a dishonest sysadm could easily break this
method. The dishonest sysadm could also easily break a shell
script method, as could anyone who got the root password.
Jim McCoy pointed out aptly that the hack could be done quickly,
but, laying technical issues aside, do we really want our
computers signing our mail for us (what about messages to
anonymous remailers-- a digital signature defeats that in short
order)? That's the real question.
--
Doug Shapter
dps@kafka.atinc.com
finger dps@kryten.atinc.com for PGP public key
Thread
Return to September 1994
- Return to “Adam Shostack <adam@bwh.harvard.edu>”
- Return to ““Dave Emery” <die@pig.die.com>”
- Return to “dps@kafka.atinc.com (Doug Shapter)”
- Return to ““Dr. D.C. Williams” <dcwill@ee.unr.edu>”
- Return to “m5@vail.tivoli.com (Mike McNally)”
Return to “mccoy@io.com (Jim McCoy)”
- 1994-09-27 (Tue, 27 Sep 94 14:25:48 PDT) - Mandatory email verification - “Dr. D.C. Williams” <dcwill@ee.unr.edu>
- 1994-09-27 (Tue, 27 Sep 94 14:51:54 PDT) - Mandatory email verification - m5@vail.tivoli.com (Mike McNally)
- 1994-09-27 (Tue, 27 Sep 94 15:02:23 PDT) - Re: Mandatory email verification - Adam Shostack <adam@bwh.harvard.edu>
- 1994-09-27 (Tue, 27 Sep 94 15:48:37 PDT) - Re: Mandatory email verification - mccoy@io.com (Jim McCoy)
- 1994-09-28 (Wed, 28 Sep 94 05:32:17 PDT) - Re: Mandatory email verification - dps@kafka.atinc.com (Doug Shapter)
- 1994-09-28 (Wed, 28 Sep 94 06:34:03 PDT) - Re: Mandatory email verification - “Dr. D.C. Williams” <dcwill@ee.unr.edu>
- 1994-09-28 (Wed, 28 Sep 94 13:56:47 PDT) - Re: Mandatory email verification - “Dave Emery” <die@pig.die.com>
- 1994-09-28 (Wed, 28 Sep 94 13:53:15 PDT) - Re: Mandatory email verification - mccoy@io.com (Jim McCoy)
- 1994-09-28 (Wed, 28 Sep 94 06:34:03 PDT) - Re: Mandatory email verification - “Dr. D.C. Williams” <dcwill@ee.unr.edu>
- 1994-09-28 (Wed, 28 Sep 94 05:32:17 PDT) - Re: Mandatory email verification - dps@kafka.atinc.com (Doug Shapter)