> From: Ed Gerck <egerck@xxxxxxx> > > If a complete stranger is the sender of an incoming message, then > > crypto keys are irrelevant to determining the message is unsolicited > > bulk. > > No. In PGP, for example, I accept a key based on who signed it and > when. If I can trust the signer(s), I may use a key from a stranger. That sounds like the old "authentication solves spam" hope. It was wrong before SMTP-AUTH and it is still wrong. If the sender is a stranger, then by the definition of "stranger" you can know nothing more than that the key works. You cannot know whether the stranger is one of Alan Ralsky's myriad of aliases delivering spam. > > The PGP mantra that a good key does not imply that the sender or the > > message is good applies here. > > Define "good key" and you'll define what the key is good for. The ancient PGP mantra refers to keys that "work," as in the results of decoding using the indicated public keys yield a valid messages. The key can be good, but a good key tells you nothing more than that the sender of the message knows the corresponding private key. Would you trust every PGP key from the IETF key signings to guarantee that a message is not spam? Some IETF participants have been unashamed senders of unsolicited bulk commercial advertisements. The person I'm thinking of objected to his entry in my blacklist by insisting that although he had sent the triggering message, it was not spam because he had not sent more than one copy per mailbox. He might have since changed his definition and stopped sending unsolicited bulk mail, but it would be silly to think everyone who gets a PGP key signed at an IETF key signing party is someone from whom you want to receive mail. Given who will pay certifiers, the IETF key signings are far less bad guarantors of non-spam than commercial certifiers. Consider privacy policy certifiers and see one of the several versions of http://enterprise-security-today.newsfactor.com/story.xhtml?story_title=Online_Privacy_Policies_Misleading ] An analysis of Web sites carrying those seals found that the ] companies running them ask for more personal information -- and ] protect it less -- than sites that have no seals. Vernon Schryver vjs@xxxxxxxxxxxx