In message <[EMAIL PROTECTED]>, Fred Bake
r writes:
>At 08:28 AM 12/2/2002 -0800, Hallam-Baker, Phillip wrote:
>>The only way to resolve this issue properly would be to require every
>>submission to an IETF mailing list to be cryptographically signed (PGP
>>or S/MIME), to require the subscribers to register their signing key and
>>to then filter the mail sent out on the list so that only signed mail
>>gets through.
>
>I would be in favor of that, personally, as long as we can ensure that the
>appropriate signature facility (be it RSA, PGP, or whatever) is freely
>available to all who need to use it. The issue here is not us corporate
>types who have a business reason to buy the software, it is the students
>who often lack the funds. The big issue would be the procedures for posting
>one's key to the appropriate place - what is to stop a spammer from posting
>a key and sending the spam anyway? I'm not proposing a mechanism, but
>someone who is good at such things might well find it of value.
>
Well, it's also the availability of the right signature facility in the
myriad email clients people use.
>
>I think it was Steve Bellovin that suggested a procedure for reducing the
>utility of spoofing source addresses in emails; if not, it was me and I
>happened to suggest something his favorite algorithm fit into, by having a
>host in each mail domain (mailid.example.com) be able to assert that its
>domain had or had not sent an email within a given recent time period
>whose MD5 hash, when divided by <vector of prime numbers> resulted in
><vector of remainders>. I could write that up in an internet draft if folks
>think it makes sense. That would be a more global procedure that didn't
>require a PKI and only addressed spoofed addresses.
>
Wasn't me...
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)
