[dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

J. Gomez jgomez at seryrich.com
Mon Jun 9 13:46:12 PDT 2014


On Monday, June 09, 2014 10:35 PM [GMT+1=CET], David Woodhouse wrote:

> On Mon, 2014-06-09 at 21:39 +0200, J. Gomez via dmarc-discuss wrote:
> > On Sunday, June 08, 2014 7:22 AM [GMT+1=CET], David Woodhouse via
> > dmarc-discuss wrote: 
> > 
> > > On Sat, 2014-06-07 at 16:42 -0400, Larry Finch via dmarc-discuss
> > > wrote:
> > > > 
> > > > DMARC really sounded good when it was first defined and
> > > > spec’d. And it DOES prevent spoofing a Yahoo or AOL address,
> > > > but does nothing to prevent spoofing a Yahoo or AOL user, (or
> > > > Chase, Wells-Fargo, Bank of America, etc) as my inbox has
> > > > proven over the past few days. 
> > > 
> > > For the banks, there's a much simpler solution anyway. Banks
> > > should be S/MIME-signing all their customer-facing outbound mail,
> > > and a customer should know with 100% certainty that if they get a
> > > mail which isn't S/MIME signed with the bank's certificate, it's
> > > a fake. 
> > (...)
> > > Any bank *not* signing its direct-to-customer email should be
> > > prosecuted as an accessory to fraud which it is enabling by
> > > actively training its customers to succumb to phishing :)
> > 
> > Nice. And how is the bank supposed to get hold of all of his
> > clients' 
> > public keys in order to S/MIME sign all the mail said bank sends to
> > all his clients.
> 
> That isn't necessary. I don't have your public key, if indeed you have
> one. But my mail is still signed and your MUA ought to show that. Or
> worst case, your MUA does nothing and you can still read my email
> anyway. But even crappy not-really-email systems like Exchange+Outlook
> can handle S/MIME properly. And the Android mailer, etc.
> 
> Remember, we're talking about *signing*, not encryption.

Oh, OK, thanks for making it clear to me, I somehow undestood you were proposing encryption.

Regards,
J.Gomez




More information about the dmarc-discuss mailing list