> > However, creating new publick/private key pairs is an incredibly
> > expensive operation, and one that a legitimate email wouldn't
have to
> > do very often, but a spammer would if we just keep blacklisting
their
> > keys.
>
> Uh? Creating a Diffie-Hellman public/private key pair is actually
quite
> simple. Even an RSA pair is not all that hard, considering that a
set
of
> N prime numbers can generate N.(N-1)/2 key pairs. The logical
> consequence of authenticated e-mail is bound to be authenticated
spam...
You don't see that as a step in the right direction?
It depends whether you use something like PGP or something like PKI. If
PGP or PGP-like, then the spammers can very easily create throw away
identities, and we have not gained much. In fact, spammers seldom fake
the email addresses of one of your friends, so a PGP solution would not
be a dramatic improvement over simply maintaining a "white list" of
friendly email addresses.
If PKI or PKI-like, then the spammers would need to obtain an actual
certificate for each of their throwaway identities. But so would
everyone else, which implicitly limits the cost of obtaining a
certificate to whatever the public can bear, and the amount of identity
checks to whatever the public is willing to accept, which today is an
e-mail reachability test. So, the spammers will be slowed down, but not
much.
-- Christian Huitema