> > > However, creating new publick/private key pairs is an incredibly > > > expensive operation, and one that a legitimate email wouldn't have to > > > do very often, but a spammer would if we just keep blacklisting their > > > keys. > > > > Uh? Creating a Diffie-Hellman public/private key pair is actually quite > > simple. Even an RSA pair is not all that hard, considering that a set > of > > N prime numbers can generate N.(N-1)/2 key pairs. The logical > > consequence of authenticated e-mail is bound to be authenticated > spam... > > You don't see that as a step in the right direction? It depends whether you use something like PGP or something like PKI. If PGP or PGP-like, then the spammers can very easily create throw away identities, and we have not gained much. In fact, spammers seldom fake the email addresses of one of your friends, so a PGP solution would not be a dramatic improvement over simply maintaining a "white list" of friendly email addresses. If PKI or PKI-like, then the spammers would need to obtain an actual certificate for each of their throwaway identities. But so would everyone else, which implicitly limits the cost of obtaining a certificate to whatever the public can bear, and the amount of identity checks to whatever the public is willing to accept, which today is an e-mail reachability test. So, the spammers will be slowed down, but not much. -- Christian Huitema