eSig - Email Signer and Validator
An open-source implementation of Elegitimizer.com's "elegitisigner" specification.
| Links: |
| GNU Privacy Guard |
Frequently Asked Questions (FAQ)
General Questions:
Q.) What is esig? (What does esig do?)
Q.) How does esig work?
Q.) How is esig better than competing products?
Q.) How does esig help against spam and viruses?
Q.) What is "Elegitimizer Certificate Authority(ECA)?"
Q.) What does "Web Of Trust" mean?
Q.) How much does it cost to use esig?
Q.) What information does esig verify as legitimate?
Q.) What is the basic data flow?
Q.) What prevents a spammer from using this technology to defeat filtering?
Q.) What is esig? (What does esig do?)
A.) Esig is a method of determining if an email is legitimate or not.
^TOP
Q.) How does esig work?
A.) Esig works by signing key portions of an email "Envelope" headers and verifying them upon receipt. This allows email servers to filter based on obvious "Fake Envelopes" or "Envelopes" from known spammers.
^TOP
Q.) How is esig better than competing products?
A.) Esig relies on a digital signature which can be verified on the server regardless of the sender's domain. Comparable technologies fall apart when the domain is not owned and managed by an email user and reflector or forwarding technology is used. Esig allows for multiple reflectors and forwarding servers to each sign for their users. Additionally, once an esig signature has been verified, it is stored locally allowing immediate use on multiple addresses without contacting that domain's servers for validation.
^TOP
Q.) How does esig help against spam and viruses?
A.) Most spam and viruses come from email addresses you don't know. Others come from addresses pretending to be people you know. Esig establishes a "Web Of Trust" model requiring each server to authenticate it's addresses before it sends the email. Even if a spammer registers a domain and uses esig to sign its email, the "Elegitimizer Certificate Authority(ECA)" can actively monitor and revoke all email sent using that key. If the sender is explicitly "Not Trusted," all servers using esig have the ability to deny delivery.
^TOP
Q.) What is "Elegitimizer Certificate Authority(ECA)?"
A.) The ECA is similar to the authority used by banks and e-commerce sites to determine the validity of the site you are connecting to. The major difference is the trickle down effect of the "Web Of Trust" model esig uses.
^TOP
Q.) What does "Web Of Trust" mean?
A.) The "Web Of Trust" model is used for the OpenPGP signature validation which is core to the esig process. Basically, if an esig enabled server obtains a validly ECA signed signature, they are allowed to themselves sign other esig enables server's signatures. If enough "Trusted" or ECA validated signatures sign a particular server's signature, that server becomes "Trusted." For example server "A," server "B," and server "C" have all been signed by an ECA. If server "D" is known and trusted by servers "A," "B," and "C" then server "D" is trusted without validation by an ECA. This model allows validated servers to build a "Web Of Trust" of all legitimate servers. However, an infinite number of "Untrusted" server's signatures will not result in a "Trusted" signature. This model becomes more effective as trusted servers adopt the esig technology.
^TOP
Q.) How much does it cost to use esig?
A.) According to the official "elegitisigner" license,
"This specification if implemented in it's entirety is licensed for free use by anyone." For additional information about licensing, please refer to the actual specification contained here. Esig is merely an open-source implementation of the "elegitisigner" specification.
^TOP
Q.) What information does esig verify as legitimate?
A.) According to the "elegitisigner" specification, a number of "determinant" email headers are used to guarantee the email originated from the server which signed it, or modifications or counterfeit headers will be easily detected and can be treated as such. Any attempts to modify the headers and "replay" legitimate headers will result in failed delivery or intentional modification.
^TOP
Q.) What is the basic data flow?
A.) Esig first identifies "determinant" email headers as defined by the "elegitisigner" specification and signs them with a digital signature. This signature is then inserted into the email header section and the email is sent. On the receive side, the "elegitisigner" signature is verified, and compared with the "determinant" headers found in the email. Any changes in the signature can now be detected and dealt with.
^TOP
Q.) What prevents a spammer from using this technology to defeat filtering?
A.) This is a valid concern for all current email validation technologies. By using ECAs and growing a "Web Of Trust" framework, spammers must gain trust or be validated by an ECA to be trusted. The elaborate research involved to acquire an ECA signature should prevent this from happening. Even if a spammer acquires a valid ECA signature, or establishes a minimum level of "Trust," the signature may be revoked rendering it useless. After enough sites adopt "esig" or other "elegitisigner" compliant implementations, sites may begin to filter based solely on this "ECA/Web Of Trust" framework. At this point, spammers will be unable to send mail to compliant servers or clients. This in contrast to other comparable technologies sets esig apart from the rest.
^TOP
General Questions:
Q.) What is esig? (What does esig do?)
Q.) How does esig work?
Q.) How is esig better than competing products?
Q.) How does esig help against spam and viruses?
Q.) What is "Elegitimizer Certificate Authority(ECA)?"
Q.) What does "Web Of Trust" mean?
Q.) How much does it cost to use esig?
Q.) What information does esig verify as legitimate?
Q.) What is the basic data flow?
Q.) What prevents a spammer from using this technology to defeat filtering?
Q.) What is esig? (What does esig do?)
A.) Esig is a method of determining if an email is legitimate or not.
^TOP
Q.) How does esig work?
A.) Esig works by signing key portions of an email "Envelope" headers and verifying them upon receipt. This allows email servers to filter based on obvious "Fake Envelopes" or "Envelopes" from known spammers.
^TOP
Q.) How is esig better than competing products?
A.) Esig relies on a digital signature which can be verified on the server regardless of the sender's domain. Comparable technologies fall apart when the domain is not owned and managed by an email user and reflector or forwarding technology is used. Esig allows for multiple reflectors and forwarding servers to each sign for their users. Additionally, once an esig signature has been verified, it is stored locally allowing immediate use on multiple addresses without contacting that domain's servers for validation.
^TOP
Q.) How does esig help against spam and viruses?
A.) Most spam and viruses come from email addresses you don't know. Others come from addresses pretending to be people you know. Esig establishes a "Web Of Trust" model requiring each server to authenticate it's addresses before it sends the email. Even if a spammer registers a domain and uses esig to sign its email, the "Elegitimizer Certificate Authority(ECA)" can actively monitor and revoke all email sent using that key. If the sender is explicitly "Not Trusted," all servers using esig have the ability to deny delivery.
^TOP
Q.) What is "Elegitimizer Certificate Authority(ECA)?"
A.) The ECA is similar to the authority used by banks and e-commerce sites to determine the validity of the site you are connecting to. The major difference is the trickle down effect of the "Web Of Trust" model esig uses.
^TOP
Q.) What does "Web Of Trust" mean?
A.) The "Web Of Trust" model is used for the OpenPGP signature validation which is core to the esig process. Basically, if an esig enabled server obtains a validly ECA signed signature, they are allowed to themselves sign other esig enables server's signatures. If enough "Trusted" or ECA validated signatures sign a particular server's signature, that server becomes "Trusted." For example server "A," server "B," and server "C" have all been signed by an ECA. If server "D" is known and trusted by servers "A," "B," and "C" then server "D" is trusted without validation by an ECA. This model allows validated servers to build a "Web Of Trust" of all legitimate servers. However, an infinite number of "Untrusted" server's signatures will not result in a "Trusted" signature. This model becomes more effective as trusted servers adopt the esig technology.
^TOP
Q.) How much does it cost to use esig?
A.) According to the official "elegitisigner" license,
"This specification if implemented in it's entirety is licensed for free use by anyone." For additional information about licensing, please refer to the actual specification contained here. Esig is merely an open-source implementation of the "elegitisigner" specification.
^TOP
Q.) What information does esig verify as legitimate?
A.) According to the "elegitisigner" specification, a number of "determinant" email headers are used to guarantee the email originated from the server which signed it, or modifications or counterfeit headers will be easily detected and can be treated as such. Any attempts to modify the headers and "replay" legitimate headers will result in failed delivery or intentional modification.
^TOP
Q.) What is the basic data flow?
A.) Esig first identifies "determinant" email headers as defined by the "elegitisigner" specification and signs them with a digital signature. This signature is then inserted into the email header section and the email is sent. On the receive side, the "elegitisigner" signature is verified, and compared with the "determinant" headers found in the email. Any changes in the signature can now be detected and dealt with.
^TOP
Q.) What prevents a spammer from using this technology to defeat filtering?
A.) This is a valid concern for all current email validation technologies. By using ECAs and growing a "Web Of Trust" framework, spammers must gain trust or be validated by an ECA to be trusted. The elaborate research involved to acquire an ECA signature should prevent this from happening. Even if a spammer acquires a valid ECA signature, or establishes a minimum level of "Trust," the signature may be revoked rendering it useless. After enough sites adopt "esig" or other "elegitisigner" compliant implementations, sites may begin to filter based solely on this "ECA/Web Of Trust" framework. At this point, spammers will be unable to send mail to compliant servers or clients. This in contrast to other comparable technologies sets esig apart from the rest.
^TOP