Firewalls: re: Fakemail

Firewalls
(April 1996)

Indexed By Thread: [Previous] [Next]

Subject:	re: Fakemail
From:	"A. Padgett Peterson P.E. Information Security" <PADGETT @ hobbes . orl . mmc . com>
Date:	Wed, 24 Apr 1996 9:25:24 -0400 (EDT)
To:	firewalls @ greatcircle . com

a) The problem is not Fakemail - the problem is people who rely on
   unreliable entries (message parts)

>From:	UVS1::"firewalls-owner @
 greatcircle .
 com" 23-APR-1996 19:00:14.85
>To:	finken @
 conware .
 de
>CC:	firewalls @
 greatcircle .
 com, mulligan @
 ns .
 fullnet .
 net, axr127 @
 psu .
 edu
>Subj:	Fakemail (Possible solutions)

With VAXmail, this is what you get. Obviously wrong but does not matter
(other than REPLY goes to the wrong place) because *the purpose of mail
is delivery. Period.*

>-----BEGIN PGP SIGNED MESSAGE-----

This is one answer that is commonly used. Still does not say where it came 
from but provides confidence that the signer has had it in his/her/its/other
possession at some time *and that is all*.

John rote:
>I really don't believe that although PGP is the best solution in theory, it 
>is the least viable of all solutions.

Would not be that harsh myself. True at present it is designed for 
individual communications rather than group but this is not an inherant
weakness, just an indication that a good key management/distribution
management system does not exist. X.509 would seem to be one mechanism.

I can see a future in which an individual only has two keys - their own
and that of a trusted post office (note: I did not say *the* Post Office
as in US). Mail is sent with a receipient list and the session key
encrypted with the PO key. PO decrypts/re-encrypts the key with each
recipients public key & distributes. For material too sensitive for
such handling, a keyring can be kept in which case the po key is not used
and message is just distributed to list.

Not today, not this year, but soon. 

>  Although the use of PGP may seem easy 
>to most of the users of this mailing list, it is not the case for the 
>average user on a college campus. 

Have you seen the "enclyptor" ? Floating toolbar that is just point and
click. Do have to know a passphrase to decrypt. Will be easier soon.

(anyone who can add a button to ccMail might drop a line to support@
viacrypt.com).

>I think the following methods have been suggested so far:

Other than encrypting/signing the body of the message, all try to make
SMTP something it is not - this is why they fail.

					Warmly,
						Padgett

Follow-Ups:

re: Fakemail
From: Michael Baumann <baumann @ proton . llumc . edu>

Indexed By Date	Previous:	Re: suspicious packets in firewall logs?? From: Brian Murrell <Brian_Murrell @ bctel . net>
Indexed By Date	Next:	[no subject] From: "Ing. Rosa Isela Gonzalez Alvarez." <rgonzale @ leo . uacj . mx>
Indexed By Thread	Previous:	Any sites for DBMS/firewalls/security ?? From: shishir+email @ ftp . com
Indexed By Thread	Next:	re: Fakemail From: Michael Baumann <baumann @ proton . llumc . edu>