- the last time I checked, DSA is patented. I don't know what the
situation is at the moment re. licensing DSA technologies.
If there is an issue with the DSA licensing scheme, I believe this method
could use any digital signing method in order to get the desired effect.
- it doesn't actually "eliminate" spam - spammers may still choose to
wear the cost of computation. From my reading of the protocol, after
they succeed in cracking the weak cypher key, the spam message is
still delivered. That's different to my definition of "eliminate".
Well, what this method does, is make it infeasible to make a business out
of spamming. When you require connections to identify themselves it
becomes very easy to make it very hard for a select group of people to
abuse it. For instance if a big company emerged and used the domain
spammers.org or certain IPs that were known, E-Mail host operators could
easily make it 10 time or 100 times more difficult for a message to be sent
from that domain or group of IPs. Knowing that it is so easy for an E-Mail
host admin to single them out and ramp up difficulty in sending, spammers
would be very weary of investing a large amount of money in getting more
processing power.
The difficulty alone in solving the computation task makes it impossible
for a single CPU or group of them to be effective at spamming. If mail
host administrators generally picked a 10-20 second work load for a message
to be sent, that would mean 10-20 seconds between each message which would
be a huge detrement to spamming.
- a distribution list could be the way spammers get around this protocol:
spammer joins ASRG list, starts collecting names
since ASRG mail server is sending messages to us, it includes its
public key and a signed piece of info in every message.
spammer gathers 1 or more of these signed pieces of info, and send a
message to the recipients of the list, using the ASRG mail server's
public key and signed piece of info. Since all of us have (of
course) included ASRG in our white list, the spammers messages get
through with no challenge/computation effort.
Have I missed something ?
Well, that is a good idea however I think this "problem" would be solved
with a good implementation. If the mail host generated a random message
and required the client to sign it, there would be no way for a client to
know what information it would be required to sign and no way for other
clients to use them.
Second of all, the signed piece of information isn't distributed. Once
identity is verified the information is discarded so the only way for a
spammer to gather signed information would be to be a mail host. Aside
from the fact that gathering signed information has no benefit.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg