Julien Pierre wrote:
You would have to make a careful choice of which CAs you want to use if you were to implement such a PKI-based spam filtering policy .
A white-list only has to verify that the key is the same, it cares not about the CA. For this purposes, self-signed certs work fine. You are not asking the CA to say whether the email sender is a spammer or not, you are simply saying he wasn't a spammer the previous N times he sent you mail.
Key caching is a wonderful thing.
> The
policy could be set not only by the end user in his e-mail client, but also by an ISP at the SMTP agent level, who could verify signatures and only deliver valid signed emails to a non-spam whitelisted folder.
True, the ISP could to upstream filtering on that basis. I'd suspect it wasn't worth it, though, as it would not scale as easily. It depends on the equation of bandwidth v. crypto time. Minor point.
BTW, about 2 years ago, when I worked for AOL, I wrote a paper on this very topic - spam filtering with x.509 certificates and S/MIME digital signatures. Nobody ever cared about the idea, even as spam messages started costing millions of dollars to businesses everywhere. It was probably ahead of its time, but I still hope to see it implemented in some form someday. I'm sick of changing e-mail address every few months.
Ha, yes, it is a bit depressing. I have the same feeling about the phishing problem - we can see solutions but nobody wants to change. It seems that the only way companies will change is if they can see more money to be made.
My own feeling is that email will die, and chat will take over.
iang _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
