unable to download get-iplayer

David Woodhouse dwmw2 at infradead.org
Fri Oct 2 02:00:17 PDT 2015


> On Fri, 2 Oct 2015 08:47:20 +0100
> CJB <chrisjbrady at gmail.com> wrote:
>
>> More to the point what was that file attached to your post?
>>
>> smime.7ps
>>
>> ????? CJB
>
> It's a cryptographic signature showing that the email has been
> cryptographically signed by David's private key, which you can then
> 'test' using his public key to make sure that he (the owner of the
> private key specifically) was the one that signed (and therefore likely
> sent) that message.
>
> At least, that's how it would work for the GPG version of this tech.
>
> I think this particular implementation David is using might be a little
> different to the way GPG does it but it does the same sort of thing.
>
> In short, it's nothing nefarious, it's actually used to make email more
> trustworthy in that it lets you know he sent it and not someone
> pretending to be him.

Right. It's S/MIME, which has been part of the email standards since the
mid-1990s. I'm disappointed that there are still any mail clients which
are so crappy that the just show it as an attachment rather than actually
checking the signature. Even Outlook manages that and that's usually the
worst possible when it comes to supporting standards.

You're right; it's different to PGP. There's no need to exchange keys or
anything like that. The trust model is just the same as for HTTPS web
sites -- the certificate is signed by a Certificate Authority that your
computer knows it can trust to vouch for my identity.

If you ever see a message from a bank or similar institution which *isn't*
signed, then you should complain. By doing that they are actively
*training* their customers to succumb to phishing fraud.

(This message isn't signed because it's sent from a mobile device on which
the keys aren't installed)


-- 
dwmw2




More information about the get_iplayer mailing list