On 11/18/20 8:08 PM, John R. Levine wrote:
Large webmail systems have always been pretty strict about what header
addresses you can use. I don't think it was ever easy for one Gmail
user to send mail pretending to be another.
But it was turning on submission auth that makes a really good case
that a person did in fact send that piece of email. ...
Gmail, Yahoo, and the like have always required that users
authenticate before sending mail. Otherwise they'd be open relays.
There were tons of open sewers back then. The ISP's were especially bad.
Gmail wasn't even publicly available until 2004.
I wonder if this has been used legally yet?
Not that I ever heard. In court cases they tend to be more interested
in chain of custody than technical features.
I pinged a lawyer friend last night who deals in an area that is
affected by email non-repudiation and explained this entire thing to him
(no small thing because he's not very technical), and his ears
definitely perked up. He did say when somebody did dispute they actually
sent a piece of mail, they'd call in an "email expert" witness who would
walk them through why it wasn't forged. I have no idea if they resort to
using DKIM as one of their arguments, i'm guessing not because the
entire idea of forgery with all of the other evidence probably makes it
pretty far fetched. But if there's enough money on the line...
Mike
