> OK.. Almost plausible. However note that currently, the PGP > web-of-trust > covers only a small percentage of the subscribers to the IETF > list, and > there's no *really* good PKI for S/MIME yet (hint - we don't > seem to even > understand how to apply 'basicConstraints', so if you think > we're going to > have working CRLs anytime soon, please share the name and > address of your > pharmaceutical supplier.. ;) OCSP scales fine for revocation checking. We can use the same platform that currently serves 6 billion DNS queries a day. I don't have a pharmaceutical supplier at hand, however I can provide you with the name of a company that has a nice line in herbal viagra if you are interested. > I propose to you that using a Thawte free S/MIME cert proves > approximately > zero - a spammer can just get one for each run (and remember > that no matter > how much a spammer tries to hid their identity, they *still* > have to provide > a working way to reach them (via smtp or http or whatever) or > they don't get > any feedback....) If the spammer wants to perform custom operations for each constituency they want to spam. I don't think they do, they have to be able to spam millions of people at a time or the response rate is simply too low. Reported response rates are in the thousandths of a percent, so spamming the entire IETF gets less than a tenth of a customer. Phill
Attachment:
smime.p7s
Description: application/pkcs7-signature