In message <5.2.0.9.2.20021206132845.01b56f88@mira-sjcm-4.cisco.com>, Fred Bake r writes: >At 08:28 AM 12/2/2002 -0800, Hallam-Baker, Phillip wrote: >>The only way to resolve this issue properly would be to require every >>submission to an IETF mailing list to be cryptographically signed (PGP >>or S/MIME), to require the subscribers to register their signing key and >>to then filter the mail sent out on the list so that only signed mail >>gets through. > >I would be in favor of that, personally, as long as we can ensure that the >appropriate signature facility (be it RSA, PGP, or whatever) is freely >available to all who need to use it. The issue here is not us corporate >types who have a business reason to buy the software, it is the students >who often lack the funds. The big issue would be the procedures for posting >one's key to the appropriate place - what is to stop a spammer from posting >a key and sending the spam anyway? I'm not proposing a mechanism, but >someone who is good at such things might well find it of value. > Well, it's also the availability of the right signature facility in the myriad email clients people use. > >I think it was Steve Bellovin that suggested a procedure for reducing the >utility of spoofing source addresses in emails; if not, it was me and I >happened to suggest something his favorite algorithm fit into, by having a >host in each mail domain (mailid.example.com) be able to assert that its >domain had or had not sent an email within a given recent time period >whose MD5 hash, when divided by <vector of prime numbers> resulted in ><vector of remainders>. I could write that up in an internet draft if folks >think it makes sense. That would be a more global procedure that didn't >require a PKI and only addressed spoofed addresses. > Wasn't me... --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)