RE: UCE - a simpler approach using just digital signing?

2009-02-01 Thread Jennifer Bayuk
On Saturday, January 31, 2009 6:36 AM, Sascha Silbe wrote: Another scheme (that could be combined with the above one to solve only the CC party problem) would be accepting only PGP mail and use a manually updated whitelist / web of trust of PGP keys. Unfortunately, PGP still isn't

Re: UCE - a simpler approach using just digital signing?

2009-02-01 Thread John Levine
One idea I have not seen mentioned here (and which I have not yet encountered in RL, but only weird people send me email these days) is for the sending MTA to use pgp to encrypt mail using the recipient's public key, available on one of the key servers near you. I don't understand what problem

Re: UCE - a simpler approach using just digital signing?

2009-01-31 Thread Sascha Silbe
On Fri, Jan 30, 2009 at 01:47:23PM -0800, Ray Dillinger wrote: Each time Fred gives out his email address to a new sender, he creates a trust token for that sender. They must use it when they send him mail. That's basically what I'm using, just without the digital signature part: each

Re: UCE - a simpler approach using just digital signing?

2009-01-31 Thread John Levine
That's basically what I'm using, just without the digital signature part: each person/organisation/website/whatever gets a different email address for communicating with me (qmail makes this easy to implement) I do that too -- I bet half the people on this list do, and there's lots of free and

UCE - a simpler approach using just digital signing?

2009-01-30 Thread Ray Dillinger
I have a disgustingly simple proposal. It seems to me that one of the primary reasons why UCE-limiting systems fail is the astonishing complexity of having a trust infrastructure maintained by trusted third parties or shared by more than one user. Indeed, trusted third party and trust shared

Re: UCE - a simpler approach using just digital signing?

2009-01-30 Thread Jerry Leichter
On Jan 30, 2009, at 4:47 PM, Ray Dillinger wrote: I have a disgustingly simple proposal. [Basically, always include a cryptographic token when you send mail; always require it when you receive mail.] There is little effective difference between this an whitelists. If I only accept mail

Re: UCE - a simpler approach using just digital signing?

2009-01-30 Thread John Levine
Hi. One of the hats I wear is the chair of the Anti-Spam Research Group of the Internet Research Task Force, which is down the virtual hall from the IETF. You know how you all feel when someone shows up with his super duper new unbreakable crypto scheme? Well, that's kind of how I feel here.

Re: UCE - a simpler approach using just digital signing?

2009-01-30 Thread Taral
On Fri, Jan 30, 2009 at 1:47 PM, Ray Dillinger b...@sonic.net wrote: This is basic digital signatures; it would work. What's your transition plan? How do you deal with stolen trust tokens? (Think trojans/worms.) Also see: http://craphound.com/spamsolutions.txt -- Taral tar...@gmail.com Please