On Mon, 02 Dec 2002 08:28:57 PST, "Hallam-Baker, Phillip" said: > The only way to resolve this issue properly would be to require every > submission to an IETF mailing list to be cryptographically signed (PGP > or S/MIME), to require the subscribers to register their signing key and > to then filter the mail sent out on the list so that only signed mail > gets through. OK.. Almost plausible. However note that currently, the PGP web-of-trust covers only a small percentage of the subscribers to the IETF list, and there's no *really* good PKI for S/MIME yet (hint - we don't seem to even understand how to apply 'basicConstraints', so if you think we're going to have working CRLs anytime soon, please share the name and address of your pharmaceutical supplier.. ;) > Thawte still provides free S/MIME certificates, however for the purposes > of this proposal it would suffice to use a self signed certificate. Unfortunately, although a self-signed cert works really nicely for some purposes (for instance, it's quite sufficient to get an SSL tunnel started so passive snooping doesn't work), it's inadequate here. The problem is that there's no good way to tell my self-signed cert from Dan Bernstein's self-signed cert from J. Slimy Spammer's self-signed cert. I'd be interested in knowing what quality of a self-signed cert would denote that the poster was possessed of the Non-Spammer Nature. I propose to you that using a Thawte free S/MIME cert proves approximately zero - a spammer can just get one for each run (and remember that no matter how much a spammer tries to hid their identity, they *still* have to provide a working way to reach them (via smtp or http or whatever) or they don't get any feedback....) /Valdis
Attachment:
pgp00155.pgp
Description: PGP signature