First off, the problem of SPAM is one of the perfect being the enemy of the good. If we can cut the spam by 95% then that is a pretty useful achievement. So, no I don't think that the folk selling feather luggage, herbal viagra, p0rn etc are likely to go to that length in great numbers, unless that is the Internet as a whole adopts the same type of measure following our lead. However I have thought ahead to the issues of scale here, let us imagine that a large number of groups use the same scheme, that email agents that filter based on signatures are available and widely used. First, consider the effect of a minor authentication requirement on certificate issue, the ability to read email sent to the address specified in the certificate. Using that technique we could eliminate spams with bogus addresses which itself would be a major advance. The amount of spam that comes through with a valid email address is vanishingly small. Second consider that if the whole internet follows our lead and starts to use cryptography routinely there are a lot of additional steps that then become possible that are not practical until most people have a public key and there is a means of discovering that via a DNS linkage. Third one of the things we could do in an extended enrollment process would be to get participants to agree to the following set of terms: 1) Thou shalt not SPAM. 2) Thou shalt permit your messages to be posted in the archives. 3) Thou shalt provide timely notice of any intellectual property claims. 4) Thou shalt not take the name of the chair in vain unless she deserves it. 5) etc. Then we could sue the b*#*@#&ds if they spammed after that. People have been looking for a test case for digital signatures for ages, so don't worry about the cost. A side benefit of this is that it would cause a lot of people to start using secure email and thus start to create some critical mass for email security. What we need is for someone to take Majordomo or the like and merge in some sort of filter to check S/MIME and PGP signatures. Then find a group that wanted to serve as a guinea pig (S/MIME or PKIX perhaps?). Alternatively we should perhaps form a group 'Deployment of secure email' which could apply this rubric. Phill > -----Original Message----- > From: Aaron Swartz [mailto:me@aaronsw.com] > Sent: Monday, December 02, 2002 1:43 PM > To: Hallam-Baker, Phillip > Cc: iesg@ietf.org; namedroppers@ops.ietf.org; ietf@ietf.org > Subject: Re: namedroppers, continued > > > Hallam-Baker, Phillip wrote: > > The only way to resolve this issue properly would be to > require every > > submission to an IETF mailing list to be cryptographically signed > > [and] to require the subscribers to register their signing key > > And how do we prevent spammers from registering their signing > key? Are > you suggesting that we change the IETF's open enrollment policy? > > -- > Aaron Swartz [http://www.aaronsw.com] >
Attachment:
smime.p7s
Description: application/pkcs7-signature