On 2004-05-09 14:12:07 -0700, Daniel Veditz wrote: > Troels Jakobsen wrote: > > Situation 1 is infeasible, since it requires all ordinary users to > > obtain a certificate to use as signature. The procedure of obtaining > > the certificate is non-trivial, costs money, and can't be automated, > > since the CA (cert. authority) guarantees the identity of the owner. > > If you could automatically get a certificate it would be worthless. > > Anyone can get a free email cert from Thawte. Non-trivial as you mention > (find the site, find the freemail page on the site, fill in the forms, > respond to email, wait, save and import cert into browser), but anyone with > a working email address can do it. > > > Situation 2 is undoubtedly feasible, and I suppose some spam filters > > use a signature as proof of validity. It's just that so few emails are > > actually signed that it makes no difference. > > And there's nothing stopping spammers from getting a cert should such a > filtering method prove effective.
I think the first step should be forgetting X.509 : http://www.openpgp.org/technical/whybetter.shtml So we should use more OpenPGP instead of X.509 So: Signed trusted messages are non-spam. All other signed and non signed messages go to the filter. _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
