It's worrying that people still consider an email signature to be ID. On a recent call to a client they told me a third party should just speak to me because my email signature stated who I worked for, so here I'm going to discuss why that's a flawed assumption.

In the case of my recent conversation I was talking to a client about why I couldn't just email the contacts as requested without an introduction.  The third party was a government department and it was assumed by the caller that because my signature said Network and Security Engineer and named a local government authority as my employer that those in a central government department would just take me at my word.  I'll point out at this juncture that despite working for local government I don't have .gov.uk in my email address so even that "assurance" (if you'd call it that) isn't there.

Obviously, I am assuming the recipient would perform due-diligence and look to confirm my identity, rather than just accepting my claims blindly anyway.

Having watched plenty of dramas where a messenger rides into the castle of his enemy, claiming to be the envoy for some important nobleman, it's clear this problem of written identity has been around for some time.  Either that or all our books and TV shows are wrong!  Historically documents were sealed with a cygnet ring but even validating that isn't easy.

It should be noted that when I say "signature" here, I'm talking about the block of text at the end of my email.  Not a cryptographic signature.

A signature doesn't validate a job role exists

Given there's no restrictions placed on what I can write in my signature I can claim to hold any role.  Indeed, I've seen plenty of cases where a signature implies a particular job role but that role doesn't exist.  For example, I have been previously a network manager, a term which is itself somewhat ambiguous.  My signature claimed I was "network manager (and webmaster)" as that was true.  This could have given the false impression that my employer had a post by that name (which it didn't).  Equally I've been hired as a business security analyst before, yet internally I was referred to as an IT security analyst, so that's what my signature said.

As there's no guaranteed mapping of a claimed job role to an actual one we can't simply consider that a confirmation of role (or seniority).

My signature doesn't validate I am who I claim to be

Much like my birth certificate and national insurance card state "not to be accepted as proof of ID" (or words to that effect), my signature should have that as an implied term also.  Much like the job title point above, I can state my name as anything I choose and there's rarely a technical control to prevent me from doing so.  England's law allows me to call myself anything so long as I'm not attempting to mislead or act fraudulently.

Part of the reason phishing works so well is down to the assumption that my signature suggesting I'm someone important (Apple support, a managing director, etc.) is actually genuine.  Given there's no mapping to a role or a person's identity this is a significant problem.

Lack of .gov.uk

Most government staff have .gov.uk in their email address.  Regardless of the fact that that can be spoofed, the fact my email address doesn't have that element at all should set some alarm bells ringing.  I wouldn't expect central government to know about the shared services provider I work for, and as we're not a legal entity they wouldn't be able to check short of  contacting  the local authority directly.  Admitedly, this is more a problem with our set up than one with my signature though.  There's other IT support companies in the area, where local authorities have outsourced their IT support, that aren't on .gov.uk either.

What can be done?

As with all these things, there's no guarantee in anything.  There are moves, certainly within government, to get all email transmission encrypted and from known origins.  There's also a plan for the email to be cryptographically signed using Domain Keys Identified Mail (DKIM) although this requires support on the sending mail server, and checks to be made by the recipient.  Much like the Sender Policy Framework, everyone needs to implement DKIM and make their checks in order for there to be better assurances (albeit not perfect even then).

In order to validate me we can use various trust models, for example the web of trust (as used by PGP and others).   The basic principle is that if you trust Alice, and Alice tells says to you "this is Bob" then you attribute a level of confidence that the person you're introduced to is indeed Bob.  This falls down if you don't trust anyone who trusts me, but this is what I was trying to explain to the caller.  He trusted me (presumably), having contacted me through the organisation's trusted support platorm.  Third parties don't have access to that platform so we arrive back at needing an introduction.

Verifying identity is an area frought with problems, and, for me, the trust model seems to solve a lot of them.  After all, it's often not what you know, but who you know.


Banner image "Simple ID card" by j4p4n on OpenClipart.