ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: namedroppers, continued

2002-12-06 15:26:35
from [Fred Baker] [Permanent Link] 
At 08:28 AM 12/2/2002 -0800, Hallam-Baker, Phillip wrote:

The only way to resolve this issue properly would be to require every
submission to an IETF mailing list to be cryptographically signed (PGP
or S/MIME), to require the subscribers to register their signing key and
to then filter the mail sent out on the list so that only signed mail
gets through.
I would be in favor of that, personally, as long as we can ensure that the appropriate signature facility (be it RSA, PGP, or whatever) is freely available to all who need to use it. The issue here is not us corporate types who have a business reason to buy the software, it is the students who often lack the funds. The big issue would be the procedures for posting one's key to the appropriate place - what is to stop a spammer from posting a key and sending the spam anyway? I'm not proposing a mechanism, but someone who is good at such things might well find it of value.
It doesn't address the "off topic" issue. As you say, that could be left to a working group chair equiped with formal procedures developed by consensus within the work group or adopted by the working group from a more general place (ie, the IETF could suggest a procedure, and the WG could adopt it if it didn't feel another procedure would be better).
I have had a private exchange, over the past few days, with someone who wished that the IETF would please document some good spam-elimination procedure, so that it could be used world-wide to completely eliminate spam. I think that boils down to "provide a global PKI" in this solution, and presumes that spammers are incapable of using one. That might be a great research topic. Too bad nobody has ever thought of it before; we could really use the outcome of that research. (OK, so it's a lame attempt at humor...)
I think it was Steve Bellovin that suggested a procedure for reducing the utility of spoofing source addresses in emails; if not, it was me and I happened to suggest something his favorite algorithm fit into, by having a host in each mail domain (mailid.example.com) be able to assert that its domain had or had not sent an email within a given recent time period whose MD5 hash, when divided by <vector of prime numbers> resulted in <vector of remainders>. I could write that up in an internet draft if folks think it makes sense. That would be a more global procedure that didn't require a PKI and only addressed spoofed addresses.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: new.net (was: Root Server DDoS Attack: What The Media Did Not Tell You), Bill Cunningham
Next by Date:  Re: namedroppers, continued, Steven M. Bellovin
Previous by Thread:  Re: namedroppers, continued, Randy Bush
Next by Thread:  RE: namedroppers, continued, Marc Schneiders
Indexes:  [Date] [Thread] [Top] [All Lists]