Actually, a vetting database would be fairly easy, if the traffic
level can be supported. Here is the outline of one model, based on
authentication/validation systems for VPNs and other systems. This
example is oriented around a 3rd party (think of them as equivalent
to Verisign or Thawte - root certificate signers)
We use PGP as the basis. A mail lister gets a new ID phrase from
the root every day, for example, via a secure query. This ID phrase
is different for each list, and changes daily. The lister decrypts
the phrase using the root's public key, then recrypts it using its
own private key and AOL's public key. It inserts the phrase in each
email going to AOL. (It encrypts the phrase with other providers'
public keys for those providers, duh.)
AOL picks up the mail, decrypts the key, and compares it to its own
query to the root for that mail list's ID for the day. If they
match, the mail is legit and goes through unless AOL has some reason
to block it. AOL need not query more than a few times per day per
list, as it can be cached for a certain time.
Thus, AOL knows that the mail is from the real list, and can follow
user-defined policy as to whether to let it through or not, either
globally or per user. It need not know anything about the list,
only that it's listed. Also, this doesn't require AOL or the mail
list to participate - only those who want to use this service need
do so.
The entire system could be incorporated into list software, so the
mail list managers have a relatively limited additional
administrative burden. All key management and phrase queries could
be done via email as well, so no additional ports would be required.
There would be a once-per-year cost for the certificate (like
secure servers) which might be a problem for small lists, unless
it's per list server, not per list. This could still work if the ID
can be used for multiple lists, with the presumption that the list
server would not forge its own lists.
Hey, I'd think this would be a good opportunity for someone to do -
Thawte might even want to provide this service. Hey I might even
do it if folks are interested. Would you pay $100 per year for
this?
G
