Thus spake "Michael Thomas" <mat@cisco.com> > It depends on what you mean by signing. Signing a message in and > of itself ought not hurt anything modulo software bugs, etc. But the > real question is what does the receiving program (MTA, MUA) do > with that signature? At the very least it could verify the signature, > but then what? If it doesn't verify do you drop it? (transitive trust > comes into play, but most likely). Does it do anything beyond that? Well, if you use a score-based anti-spam system, the lack of a signature could "cost" a message a few points, but that's about it. The root problem here is we're trying to define an authentication system without also defining the authorization or accounting systems to use it. > Let me ask something in return: do you think that > just the act of signing mail -- with no trust > roots implied -- could help? It does, at least until spammers start signing their email too. Does my signature on this message make you trust it more than, say, the ten ads you got this morning for Viagra? Why or why not? S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
Attachment:
smime.p7s
Description: S/MIME cryptographic signature