> From: Ed Gerck <egerck@xxxxxxx> > Yes. However, if your mailbox could automatically handle confirmation > requests based on messages that were actually sent by you (in much > the same way that NAT boxes work -- you only get a reply to a request > you send), then you would not be bothered by the C-R traffic at all. As long as you are wishing for things with no prospect of reality in the foreseeable future, why not wish for long jail terms for the ROKSO 200? Automatic C-R handling in MUAs would solve the spam problem much as NAT boxes have solved the address shortage and routing table size problems, by creating other problems that are worse in the long run. For example, C-R handling in MUAs would do nothing for the problems C-R systems have with mail that is not simplistic messages between individuals. Someone recently wrote that challenge/response systems would be practical if there were a way for C-R systems to identify and not challenge mailing list traffic. That made me choke, because all spam is mailing list traffic. Perhaps what was intended was making C-R systems recognize solicited mailing list traffic. If your C-R system could do that, there would be no need for any challenging or responding. You would challenge neither non-bulk nor solicited bulk mail, and would simply reject all unsolicited bulk or spam mailing list traffic. > Messages among complete strangers is a necessary feature, IMO, but > shouldn't it behave in cyberspace as we learned to do it in the > social space? Trust is earned. When a complete stranger calls me, > I usually ask who or what introduced me to him before I start any > conversation. If the complete stranger has no satisfactory answer, > I ask him to take me off his database and not call again. If that's good enough for you, then you already have it. The start of a phone call from a stranger corresponds to the initial mail message. The asking to be added to a DNC list corresponds to adding an entry to your email blacklist. You probably want PKI magic that will tell your MTA or MUA whether substantially identical copies of an incoming message from a complete stranger will soon be sent to 30,000,000 of your intitmate friends. That magic would happen before you do the equivalent of answering a phone call from a stranger. If you are among those who configure their telephones to reject calls with caller-ID values not in whitelist, then you can configure your email system to do the same with IP addresses. That will eliminate essentially all spam. It also eliminates messages from strangers. > > People who know each other's crypto keys are not strangers. > > It is possible for my MUA to automatically provide a complete stranger > with my PK if I receive an email from him. The barrier to have my > crypto keys does not have to be any higher than the barrier to have > my email address. If a complete stranger is the sender of an incoming message, then crypto keys are irrelevant to determining the message is unsolicited bulk. If the sender of spam is not a stranger, then you made a mistake in handling keys. The PGP mantra that a good key does not imply that the sender or the message is good applies here. Vernon Schryver vjs@xxxxxxxxxxxx