At ApacheCon EU 2005, I had a chance to speak with folks from Thawte and from CAcert regarding the use of signed e-mail, using existing RFCs, as a tool to fight SPAM. A senior engineering manager from Thawte and a CACert rep have subscribed to this list for purposes of furthering these discussions. This e-mail is just to bring the subject to the list, and open the topic for discussion.
Signed e-mail can be an effective tool to address SPAM. Signed e-mail can be validated to know that there is a trusted identity responsible for the e-mail. It addresses the needs of mobile workers and improves the ability to use SMTP relays, reducing the need to police e-mail by IP address. We can validate the authenticity of signed e-mail early, reject e-mail that fails authentication, and reduce the amount of SPAM congesting the Internet. Where there is a need for anonymity, "anonymizers" can sign e-mail on behalf of their clients (as we do with our server-side signing), where the anonymizer's reputation and ability to block SPAM will effect whether the e-mail will be accepted downstream. Thus far our efforts, and later efforts by Yahoo!, have focused on the platform we can control: the mail server. We added server-side message signing using standard S/MIME, and subsequently Yahoo! published their DomainKeys (http://antispam.yahoo.com/domainkeys) specification, but in both cases the necessary ubiquity is lacking. There was a feeling at ApacheCon that by working up with CAs, we can help to promote much broader penetration of signed e-mail because of their established ties with major MUA authors. Regardless of whether e-mail is signed by the MUA or MTA, a necessary piece to the puzzle is a mechanism to validate the mail signing certificate. Yahoo! has a DNS-based approach, and at ApacheCon we discussed DNS, OCSP and LDAP. There appears to be a consensus that LDAP is the best way to go, but the topic is still open. So there you go. This is just a note to kick off the discussion. Hopefully, it says enough to get people involved, and is vague enough to allow people to bring their own ideas to the table. --- Noel
