[dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

David Woodhouse dwmw2 at infradead.org
Mon Jun 9 13:35:44 PDT 2014

On Mon, 2014-06-09 at 21:39 +0200, J. Gomez via dmarc-discuss wrote:
> On Sunday, June 08, 2014 7:22 AM [GMT+1=CET], David Woodhouse via dmarc-discuss wrote:
> > On Sat, 2014-06-07 at 16:42 -0400, Larry Finch via dmarc-discuss
> > wrote: 
> > > 
> > > DMARC really sounded good when it was first defined and spec’d. And
> > > it DOES prevent spoofing a Yahoo or AOL address, but does nothing to
> > > prevent spoofing a Yahoo or AOL user, (or Chase, Wells-Fargo, Bank
> > > of America, etc) as my inbox has proven over the past few days.
> > 
> > For the banks, there's a much simpler solution anyway. Banks should be
> > S/MIME-signing all their customer-facing outbound mail, and a customer
> > should know with 100% certainty that if they get a mail which isn't
> > S/MIME signed with the bank's certificate, it's a fake.
> (...)
> > Any bank *not* signing its direct-to-customer email should be
> > prosecuted as an accessory to fraud which it is enabling by actively
> > training its customers to succumb to phishing :)
> Nice. And how is the bank supposed to get hold of all of his clients'
> public keys in order to S/MIME sign all the mail said bank sends to
> all his clients. 

That isn't necessary. I don't have your public key, if indeed you have
one. But my mail is still signed and your MUA ought to show that. Or
worst case, your MUA does nothing and you can still read my email
anyway. But even crappy not-really-email systems like Exchange+Outlook
can handle S/MIME properly. And the Android mailer, etc.

Remember, we're talking about *signing*, not encryption.

(Not that it's hard to allow a user to register a key through the online
banking system and thus allow encryption too, but that's not what we
were talking about, and that would indeed require an abnormal level of
clue on the part of the user.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140609/12e7c823/attachment-0001.bin>

More information about the dmarc-discuss mailing list