At 01:35 PM 8/29/2004 -0400, David Brodbeck wrote:
AccuSpam wrote:
Again I assert that crypto signing of e-mail is going to happen. I assert
that a de-centralized approach like SenderKeys is our best defense.
The possibility for people to crypto-sign their email has been around
ever since PGP was invented. Almost no one actually takes advantage of
it, though. I don't think people see any great benefits to it, so I
doubt it'll be widespread anytime soon.
It occurred to me that people (including myself) do not use PGP or S/MIME
signing because it is not automatic to setup and recipients do not
automatically support it.
That is one reason why I proposed SenderKeys, which automates adoption to some
degree.
The various national
encryption regulations, such as the US encryption export regulations
[...]
are another example of a policy which actively
interferes in the inclusion of encryption/authentication systems for general
software publication.
I think it is logical to expect the national security agencies of USA to be
against encryption of e-mail, but not against using cryptography for signing,
as long as export of the crypto technology does not enable, support, or
encourage strong encryption of e-mail.
[...]
Almost all "hashcash" authors are
very excited about the cost of having a "sender pays" system where the
sender is forced to generate computational checksums of their messages in
order for their email to be painlessly accepted. Unfortunately, they're
almost all intertwined with a challenge-response system so that the hashcash
token from authenticated senders or sites is accepted. They believe that
people will be happy to respond to these challenges so that their next email
gets through
[...]
Per-user crypto anti-forgery could be a form of "hashcash", with adoption
automated to some degree.
As a point of comparison of the rate of (or automating) deployment:
There are apparently 63 million domains registered, 1.5 million new ones per
month, and only apparently (I did not verify source) 100,000 known SPF records
registered and most of those are probably not "-all":
http://www.internetretailer.com/dailyNews.asp?id=12163%20
However, on the positive side, I expect that SPF will be very soon, if not
already, a standard for anti-forgery among verifiers (e.g. anti-spam).
However, I am still worried that SenderID will overtake SPF because it will be
more widely implemented due to Microsoft's influence. So it might make more
sense to reuse the SPF record for SenderID, and get an explicit statement in
the licensing to make sure Microsoft is not claiming the use of the underlying
SPF record.
-Shelby Moore