At 17.03.2003 13:38 -0600, meor(_at_)mail(_dot_)SoftHome(_dot_)net wrote:
At 13:59 3/17/2003 -0500, you wrote:
On Mon, 17 Mar 2003 12:39:09 CST, meor(_at_)mail(_dot_)SoftHome(_dot_)net said:
> I had to send and receive 3 E-Mails to sign up for this list. If the
> proposed method was implemented, only one would have to be sent. The one
> E-Mail would add the list's public key to my white list(implicitly by
> sending them an E-Mail), and the list owner would know that I signed
up for
> it(no one signed me up for it out of spite), because of my public key.
This assumes the existence of a PKI. Without that, it's fairly trivial
for me to crank out a bogus digital signature claiming to be from
meor(_at_)mail(_dot_)softhome(_dot_)net and forge subscriptions for you. And
without any
mailback confirmation, you'd not even know what happened until you started
getting 300+ pieces of mail a day from linux-kernel mailing list. ;)
Yes, a self-signed cert *will* prove that two somethings have the same
source,
but that doesn't help in trying to confirm a subscription to an e-mail
list...
Actually this method would not need a PKI. Upon the first attempt to send
mail to the end user by the Mail list, the mail list would be told that
the public key/signature is not recognized at which point it would be
known that the recipient mail box did not request list subscription.
Even if you did have to send 3 E-Mails with the new method, like you do
with the current method, this does not disprove the ability to subscribe
to bulk mailing lists. The point I was trying to demonstrate was that
white lists are easy to implement, and digital signatures verify origin.
How would a newsletter sender find out, if he tried to send a mail to an
unsubscribed user or to an user who has forgotten to whitelist the sender yet?
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg