Jill -- I'm thinking that you may have answered your own question. The problem really lies in the fact that none of us uses secured e-mail exclusively. If so, then following a chain of signers to validate the sender creates the essence of a whitelist, thereby avoiding most spam.
However since we don't secure all messages that we send, we're essentially taking the risk of being spammed by maintaining a published e-mail address as well as no mechanism to determine if the mail is from someone legitimate. This is the basis of these challenge/response anti-spam systems. You e-mail me, my system challenges you to reply with a password or some other data, and I verify and then accept your e-mail. If you forced everyone who sent you e-mail to do so using PGP, you'd end up with two piles of mail -- those who had an acceptable chain of signers and those who didn't, essentially the same effect as the challenge/response systems. It wouldn't matter if the keyserver was completely open or not. So back to the original question you posted -- "It seems to me that the possibility that spammers might harvest PGP keyservers for email addresses is a serious disincentive to using keyservers. Does anyone have any thoughts on this?". Any mechanism which publishes your e-mail address is going to be a bad thing from a spam perspective unless you are using other countermeasures. This is no different than a telephone number (which I now use Call Intercept to avoid telephone solicitors). It seems to me that the world breaks down into two different groups -- those who religiously protect their access identifiers (e-mail addresses and phone numbers) and those who don't. You have consequences of each -- limited accessibility is traded off against spam. Interesting issues around this, and much discussed lately. Cheers -- jeffrey kay weblog <k2.com> pgp key <www.k2.com/keys.htm> aim <jkayk2> share files with me -- get shinkuro -- <www.shinkuro.com> "first get your facts, then you can distort them at your leisure" -- mark twain "if the person in the next lane at the stoplight rolls up the window and locks the door, support their view of life by snarling at them" -- a biker's guide to life "if A equals success, then the formula is A equals X plus Y plus Z. X is work. Y is play. Z is keep your mouth shut." -- albert einstein > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, June 10, 2003 11:54 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: Keyservers and Spam ... > So ... if you believe (as I do) that a PGP key is > untrustworthy unless there > is a chain of signers reaching from you to it, matching the > settings in your > PGP configuration file, then posting a bogus key becomes completely > pointless. > > On the other hand ... if the key is NOT bogus, then it has my > real name on > it, and the spam problem remains. ... --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
