Anthony Atkielski wrote:
Public-key encryption of an entire e-mail is extremely
processor-intensive.
Which is precisely the goal. It is not so extreme as to make routine
mail unusable, but extreme enough to make random bulk mail not worth the
cost.
Even conventional encryption is very
time-consuming. You can just hash it and sign the key.
That simply provides message integrity, the point is to make the cost
for the bulk sender higher than for the individual receiver.
However, this would be a problem for people in countries that
outlaw encryption. What would they do?
Break the law, because it is likely they are anyway for anything that
those laws are designed to prevent. ;)
Realistically, those situations would be addressed by including a plain
text copy as well. The agency concerned about enforcing encryption laws
could run the plain text part through the same encryption process and
verify that the output matches. Alternatively, the origin could be
required to encrypt using the enforcement agency key, then have the
enforcement point decrypt & re-encrypt with the receiver's key. Either
way there is enough pain felt at the enforcement point to ensure any
random bulk spam is dealt with locally and quickly.
... and provide an incentive for the ISPs to
actually deploy a PKI.
Who would you trust to certify keys?
For the purpose of email through the ISP servers, the ISP would be able
to handle key certification. Those keys may or may not be useful or
meaningful outside the context of services arranged by that ISP.
Tony