Re: authenticated email

Michael Thomas wrote:

It depends on what you mean by signing. Signing a
message in and of itself ought not hurt anything
modulo software bugs, etc. But the real question
is what does the receiving program (MTA, MUA) do
with that signature? At the very least it could
verify the signature, but then what? If it doesn't
verify do you drop it? (transitive trust comes
into play, but most likely). Does it do anything
beyond that?

Let me ask something in return: do you think that
just the act of signing mail -- with no trust
roots implied -- could help? My sense is that it
might in a sow-the-seeds kind of way for some
later goodness (it's as you say not a solution).
I too would be happy to hear downsides.


Without trust roots, webs of trust, or additional
mailing list daemon features, signed e-mail doesn't
really add anything, at least not now.

Signed e-mail could help ensure that e-mail
sent to a list comes from the same person
as the one who subscribed to the list. But then
again, the same feature could be implemented
much simpler by some header which must stay
constant from the same person and is stripped
off by the list daemon when forwarding the mail
to the subscribers.

More seriously, ensuring the sender's address
is right is useless IMHO unless there's a policy
for letting people to sign-up to a list. Spammers
could get a new address and generate a key pair,
sign up using them, send spam, and repeat with
another address and key.

So, its the same old question once again: how
do we all enroll ourselves to the same trusted
root or web of trust? Should the next PGP key
signing party be held in the plenary, for everyone?
Or maybe Harald stands in the IETF reception desk
to look at people's passports and certifies keys?
Hmm... maybe we could make PGP key mandatory in
registration, and have the secretariat form a web
of trust. At least we could trace every key to
a credit card number... sounds pretty good but
this wouldn't deal with the folks who don't come
to the meetings. Maybe we could turn on mandatory
PGP signing for all list e-mail for a year, and
at the end of the year make a web of trust for the
folks who sent e-mail that year. That wouldn't
be perfect, but it would sure reduce the size of
queue in front of Harald for the passport check ;-)

--Jari

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Engineering to deal with the social problem of spam, (continued) Re: Engineering to deal with the social problem of spam, Bill Sommerfeld Re: The utilitiy of IP is at stake here, Kurt Erik Lindqvist RE: The utilitiy of IP is at stake here, J. Noel Chiappa RE: The utilitiy of IP is at stake here, Tony Hain Re: The utilitiy of IP is at stake here, Anthony Atkielski RE: The utilitiy of IP is at stake here, Tony Hain authenticated email, Michael Thomas Re: authenticated email, Harald Tveit Alvestrand Re: authenticated email, Scott Francis Re: authenticated email, Michael Thomas Re: authenticated email, Jari Arkko <= Re: authenticated email, Theodore Ts'o Re: authenticated email, Jari Arkko Re: authenticated email, Theodore Ts'o Re: authenticated email, Alexandru Petrescu Re: authenticated email, Harald Tveit Alvestrand Re: authenticated email, Stephen Sprunk Re: authenticated email, Michael Thomas Re: authenticated email, Anthony Atkielski Re: authenticated email, Einar Stefferud Re: authenticated email, Anthony Atkielski