Re: Mandatory email verification

[dps@kafka.atinc.com (Doug Shapter)]

Its my understanding that to be truly useful on multi-user
systems, digital signatures require some user input (eg, PGP
requires entering a pass phrase). Sendmail could be hacked
easily
enough to append signatures and to even ask the user for the
requisite pass phrase-- or sendmail can append the signature
automagically, using an environment variable (yuch, just a touch
insecure?) or some other method (a root-owned and executed shell
script).

The first method, having sendmail ask the user for the pass
phrase, is most secure, but also the most inconvienent. For
instance, at our site, we have several distributed
workstations. We send numerous mail messages to each other every
day, and signing each one would be a real pain. To prevent this
sendmail could be hacked to only require signatures on mail
messages addressed outside the domain. This still leaves us back
at the original problem-- one of us could flame the boss and
then
deny the authenticity of the message because it lacked our
signature.

The automagic method is frightfully insecure. Creating an
environment variable transparently requires that the pass phrase
be physically located on the system, instead of the user's
mind. (I wouldn't want to ask users to slip in their "pass
phrase" disk every morning when they log on). There is also a
question of trust-- a dishonest sysadm could easily break this
method. The dishonest sysadm could also easily break a shell
script method, as could anyone who got the root password.

Jim McCoy pointed out aptly that the hack could be done quickly,
but, laying technical issues aside, do we really want our
computers signing our mail for us (what about messages to
anonymous remailers-- a digital signature defeats that in short
order)? That's the real question.



-- 
Doug Shapter                
dps@kafka.atinc.com         
finger dps@kryten.atinc.com for PGP public key