On Mon, 02 Dec 2002 08:28:57 PST, "Hallam-Baker, Phillip" said:
The only way to resolve this issue properly would be to require every
submission to an IETF mailing list to be cryptographically signed (PGP
or S/MIME), to require the subscribers to register their signing key and
to then filter the mail sent out on the list so that only signed mail
gets through.
OK.. Almost plausible. However note that currently, the PGP web-of-trust
covers only a small percentage of the subscribers to the IETF list, and
there's no *really* good PKI for S/MIME yet (hint - we don't seem to even
understand how to apply 'basicConstraints', so if you think we're going to
have working CRLs anytime soon, please share the name and address of your
pharmaceutical supplier.. ;)
Thawte still provides free S/MIME certificates, however for the purposes
of this proposal it would suffice to use a self signed certificate.
Unfortunately, although a self-signed cert works really nicely for some
purposes (for instance, it's quite sufficient to get an SSL tunnel started
so passive snooping doesn't work), it's inadequate here.
The problem is that there's no good way to tell my self-signed cert from
Dan Bernstein's self-signed cert from J. Slimy Spammer's self-signed cert.
I'd be interested in knowing what quality of a self-signed cert would
denote that the poster was possessed of the Non-Spammer Nature.
I propose to you that using a Thawte free S/MIME cert proves approximately
zero - a spammer can just get one for each run (and remember that no matter
how much a spammer tries to hid their identity, they *still* have to provide
a working way to reach them (via smtp or http or whatever) or they don't get
any feedback....)
/Valdis
pgpc1Eo2nufgg.pgp
Description: PGP signature