Authenticating email

Jonathan B. Bayer pmmail@rpglink.com
Wed, 03 May 2000 10:11:27 -0400


-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 04 May 2000 10:41:57 -0300 (ADT), Trevor Smith wrote:

>On Wed, 03 May 2000 09:02:11 -0400, Jonathan B. Bayer wrote:
>
>>At least with registered smail, the mailman gets a human signature. 
>>Yes, it can be forged, yes, it may not be the same person.  But at
>>least there is some physical evidence which can be used for
>>authentication purposes.  If someone swears they didn't receive
>>something, and the PO supplies a signature, the police can compare
>>signatures to see if it belongs to the person or not.  Not perfect, but
>>still understandable to most people.
>
>I just had a great idea. What if there was a registered mail for
>email systems? What if you couldn't get the email that was delivered
>to you until you submitted a digital signature? Hmm...
>
>I send you a conventionally encrypted message as an attachment (a
>message that is just encrypted with a password, not a public/private
>key system) *and*, along with that, a short plain-text message that
>says:
>
>The attachment to this message is encrypted. To receive the
>decryption password by email, simply reply to this message, and sign
>your reply with PGP/GnuPG (or some other OpenPGP equivalent).

Ok.  First off, what if the receiver doesn't have any sort of digital
signature?  Second, prove that it really was that person, he/she could
always make the claim that the digital signature was
stolen/misused/etc.  

However, this idea has some merit.  There is at least one web-based
secure mail system that I know of which is designed to make mail
disappear (unloggable) after a certain period of time/date/etc.  The
mail contains a web link which points to the actual mail message.  This
could be the basis for a secure verification that an e-mail was read. 
But we still come back to the same question of how to verify that the
person who is reading the mail is the intended recipient.  What we can
do is to to make it more likely that the message was read by a specific
individual, but we cannot guarantee it.  Remember, regular e-mail is
like a postcard.  Anyone along the path can potentially read it and
access a url in it.

True, there is the same problem even with smail.  But at least with
smail we can prove that the mail was at least delivered to a real
person at a specific address.

JBB

- --
ICQ # 44910403
Power Listviewer URL:   http://www.bigfoot.com/~PowerListviewer
PMMail Archiver URL:    http://www.bigfoot.com/~Jonathan_Bayer/archiver

For PGP Public key block/Fingerprint send the following message to me as the Subject:
        Send PGP Signature

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies.

iQCVAwUBORAzjo1F3x2FJJilAQHcVAP/Qxmodr51Rts6MZwYoM9RPmVY0Pc7iMl+
9wjhica3IwFegWmzG3UHPARwd0ahcTFFLwPiGh+J/wxW84JFY4FlkaOpEf75eTyO
pPOUIhQsaQhpDnaZQ1vvYcs7/jsumn933UZwevK8dxFajQ3dRmhBuXBnL6gQJmKU
RYBFaCRDqEw=
=qbFZ
-----END PGP SIGNATURE-----