From: "Rich" 

This is a multi-part message in MIME format.

------=_NextPart_000_01FF_01C4188F.36C2C2E0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

   Signing of an email is like signing of other types of data.  A hash =
is calculated of the content being signed and that has is encrypted with =
the senders private key.  The recipient verifies this by decrypting the =
hash with the public key and comparing it to a hash he calculates.  = There
are some other rules for verification of S/MIME like comparing the = sender
to the subject in the signing certificate.  There are probably = others. 
You should look up the S/MIME RFCs for more.   A good place to =
start for email related standards is www.imc.org.  If you are interested =
in more info on public key crypto, the RSA web site may be a good start.

   I think any paranoia about signed trojans is extremely overrated.  No =
matter what George may prefer, virtually no one uses read as text and =
virtually no one has an email cert.  The intersection is even smaller.  =
Take your concern about yourself.  Do you have an email cert on your =
machine?  If you do, where is the private key stored?

Rich

  "Antti Kurenniemi"  wrote
in message =
news:406d62c2$1{at}w3.nls.net...
  If you have a few moments, can you explain to me how does the signing
  actually work? Because I just don't get this, it seems to me to be =
just one
  extra step sideways but nothing more - just one more thing to take =
control
  of (hack), and hey presto now you can mess around with the signatures, =
and
  the recipients will happily launch every bomb because "hey, it's =
signed so
  it must be safe".

  Is there a proper explanation somewhere that I could read? I did a bit =
of
  googling, but all I could find was some vague stuff like this:
  http://www.winnetmag.com/Article/ArticleID/15315/15315.html - but that =
would
  mean that if someone broke to my system via some other security hole, =
they
  could send signed mail as me, right?


  Antti Kurenniemi


  "Rich"  wrote in message news:406d08ac$1{at}w3.nls.net...
  Self-signed would get you nowhere.  It is not sufficient for a message =
to be
  signed.  The certificate has to chain to a trusted root plus other
  requirements like not being revoked.  No self-signed cert would be =
trusted
  by the recipient.

  Rich



------=_NextPart_000_01FF_01C4188F.36C2C2E0
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








   Signing
of an email is =
like signing of=20
other types of data.  A hash is calculated of the content being =
signed and=20
that has is encrypted with the senders private key.  The recipient
= verifies=20
this by decrypting the hash with the public key and comparing it to a = hash he=20
calculates.  There are some other rules for verification of S/MIME = like=20
comparing the sender to the subject in the signing certificate.  =
There are=20
probably others.  You should look up the S/MIME RFCs for =
more.  =20
A good place to start for email related standards is www.imc.org. ">http://www.imc.org">www.imc.org. 
If you are interested = in more=20
info on public key crypto, the RSA web site may be a good =
start.
 
   I think
any paranoia about =
signed=20
trojans is extremely overrated.  No matter what George may
prefer,=20 virtually no one uses read as text and virtually no one has an
email = cert. =20
The intersection is even smaller.  Take your concern about =
yourself. =20
Do you have an email cert on your machine?  If you do, where is
the = private=20
key stored?
 
Rich
 

  "Antti Kurenniemi" <LESSantti{at}SPAManttikPLEASE=">mailto:LESSantti{at}SPAManttikPLEASE.com">LESSantti{at}SPAManttikPLEASE=
.com>=20
  wrote in message news:406d62c2$1{at}w3.nls.net...If=20
  you have a few moments, can you explain to me how does the =
signingactually=20
  work? Because I just don't get this, it seems to me to be just =
oneextra=20
  step sideways but nothing more - just one more thing to take =
controlof=20
  (hack), and hey presto now you can mess around with the signatures, =
andthe=20
  recipients will happily launch every bomb because "hey, it's signed =
soit=20
  must be safe".Is there a proper explanation
somewhere that I =
could=20
  read? I did a bit ofgoogling, but all I could find was some vague =
stuff=20
  like this:http=">http://www.winnetmag.com/Article/ArticleID/15315/15315.html">http=
://www.winnetmag.com/Article/ArticleID/15315/15315.html=20
  - but that wouldmean that if someone broke to my system via some =
other=20
  security hole, theycould send signed mail as me, =
right?Antti=20
  Kurenniemi"Rich"
<{at}> wrote in message news:406d08ac$1{at}w3.nls.net...=
Self-signed=20
  would get you nowhere.  It is not sufficient for a message to=20
  besigned.  The certificate has to chain to a trusted root =
plus=20
  otherrequirements like not being revoked.  No self-signed =
cert would=20
  be trustedby the=20
recipient.Rich

------=_NextPart_000_01FF_01C4188F.36C2C2E0--

--- BBBS/NT v4.01 Flag-5