3 Questions That are Causing Me Much Thought

I have three questions that I’d like someone to answer:

Hey Jeremy,

Question 1 - No it’s not an easy thing to do. The people you mention, managed after a lot of computing cycles to produce a fake MD5 sig. Comodo doesn’t use MD5. I think they use SHA not sure which one.

#2 - http://www.iana.org/

#3 - email headers are easily forged. By SPAMtards.

Good luck studious one :slight_smile:

Yes, it’s SHA1. :slight_smile:

Thank you.

  1. I was talking a bit more about how Comodo (and others?) identify the digital sigs. CIS seems to identify them by their name, which I though could be easily forged.

  2. Ok, this is answered to my satisfaction. :slight_smile:

  3. I have gotten a few “forged” headers in spam emails…but Hotmail is usually able to identify them. You know the IANA manages domains, does it also manage email address? What does?


I think you are confusing the human readable names with the actual sigs.
You might copy a name but how would you get the sig to match, I think not.

Not sure about the email follow up question.
I think that is up to the various ISP’s and mail service providers to police.
There are standards, but I don’t think an enforcement agency if that is what your driving at.


PS. A bit more reading for your edification. http://www.imc.org/mail-standards.html

Ok, thanks.

I think you are confusing the human readable names with the actual sigs.

As I wrote on my blog, it seemed like CIS identified the signatures by their title only. Does Comodo actually have a database of the signatures too?

They must, or at least have the access to verify the sigs of the various signers.
The human readable names are to make it possible to tell one from another, in human terms.
A list of sig hashes would leave you without a clue as to what is what.


The way that Code signing work is that, in theory, each applicant is unique and have their unique name…
Eg: Comodo CA Ltd (is a unique name) and noone should be able to buy a code signing cert apart from Comodo CA Ltd. Hence just relying on the name is good enough cos its a unique identifier (unless CA has failed in validation).


Can’t someone just “make” a digital signature with the name “Comodo CA Ltd.”?

yes… anyone can create a digital certificate. But it would not be trusted.
list of trusted root keys are stored in the browser. so if you were to create a digital cert with the same name as comodo ca ltd, sign an application and sent it to someone, browser would warn the user saying this is not trusted.


You use FX don`t you JB,

Have a look under Tools/Options/Advanvced/Encryption/View Certificates->For all your RCA`s


Yes I use Firefox.

[at-bypass]Melih: Thanks. Learning something new every day! :slight_smile:


np :slight_smile: Me too! :slight_smile: