The best system I have found is tmda.sourceforge.net which concept is used on a couple of commercial individual systems...
The concept is quite simple...
Someone unknown to me send me an e-mail. I do not receive this e-mail yet but an automatic reply ask the person to perform a task to authenticate itself... Like replying to a specific address after reading the message (something like a simple Turing test to prove the person is human). The e-mail of this person is then added to my whitelist, I receive this person e-mail as well as all subsequent e-mails....
Any person that wants to talk to me will follow the procedure... any spammer will not bother to follow the procedure because suddenly it costs him time therefore money... Remember it is a Turing test so a machine cannot pass it....
Now what digital signing should bring, the power to sue because of the traceability.
Cheers
On Thu, 2003-06-05 at 05:55, Stephen Sprunk wrote:
Thus spake "Michael Thomas" <mat@cisco.com> > It depends on what you mean by signing. Signing a message in and > of itself ought not hurt anything modulo software bugs, etc. But the > real question is what does the receiving program (MTA, MUA) do > with that signature? At the very least it could verify the signature, > but then what? If it doesn't verify do you drop it? (transitive trust > comes into play, but most likely). Does it do anything beyond that? Well, if you use a score-based anti-spam system, the lack of a signature could "cost" a message a few points, but that's about it. The root problem here is we're trying to define an authentication system without also defining the authorization or accounting systems to use it.
|
-- Franck Martin <franck@sopac.org> SOPAC |