Harald Tveit Alvestrand writes:
--On tirsdag, juni 03, 2003 09:20:24 -0700 Michael Thomas
<mat(_at_)cisco(_dot_)com>
wrote:
I, like you, suspect that authenticated email may
be helpful in the spam wars, but this must not be
viewed in isolation. "Authentication" begs the
question of identity, trust in assertion,
ownership of identity, and the motivation and
foibles of third parties who would likely be
needed to scale this to anything that would be
useful.
In particular, the latter is almost without
exception a "be careful for what you wish for"
situation. Centralization of power for naming and
thus participation would be a very convenient tool
to exclude undesirables. Today that's spammers,
but where are the checks and balances? What
prevents less worthy causes? How do you prevent an
unreasonable accrual of power made real by virtue
of being the path of least resistance for the
great unwashed masses?
Unless these issues -- and many more -- can be
finessed, the cure might be worse than the
disease.
I thought I'd try this....
is there any particular disadvantage or centralization of power implied in
me signing this message with my PGP key?
If not, is there any particular reason that I shouldn't do this all the
time?
It's not a solution, but is there a downside?
It depends on what you mean by signing. Signing a
message in and of itself ought not hurt anything
modulo software bugs, etc. But the real question
is what does the receiving program (MTA, MUA) do
with that signature? At the very least it could
verify the signature, but then what? If it doesn't
verify do you drop it? (transitive trust comes
into play, but most likely). Does it do anything
beyond that?
Let me ask something in return: do you think that
just the act of signing mail -- with no trust
roots implied -- could help? My sense is that it
might in a sow-the-seeds kind of way for some
later goodness (it's as you say not a solution).
I too would be happy to hear downsides.
Mike