On Wed February 25 2004 10:27, John Stracke wrote: > Dave Aronson wrote: > >On Wed February 25 2004 09:53, John Stracke wrote: > > > Not necessarily. Spam viruses would then start collecting > > > people's private keys. > > > > Theoretically possible, but at least it would significantly raise > > the bar. > > Only one person needs to figure out how to do it. Think script > kiddies. True again, but I still don't think that this additional usage of private keys would provide sufficient incentive for a virus author. What do they gain out of snarfing someone's private key, that they wouldn't gain without this proposal? (For those tuning in late, it has unfortunately been pushed off the top, but boils down to mailing list processors being able to require and verify digital signatures on members' posts.) It nets them the ability to spam digsig-protected mailing lists that the victim is on, until the victim cleans out the infection and changes his key. BFD. I suppose some twerp might do so just because he can, but I don't think this will provide the incentive. Admittedly, there are *other* existing incentives, and will probably be more as digitally signed and/or encrypted email becomes more popular and easier to use, but that's a whole 'nother story. These other incentives may cause such a virus to be written, and this mechanism may suffer as a result. -- Dave Aronson, Senior Software Engineer, Secure Software Inc. Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org (Opinions above NOT those of securesw.com unless so stated!) WE'RE HIRING developers, auditors, and VP of Prof. Services.