-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Robert,

Friday, June 27, 2003, 8:33:17 AM, you wrote:

>>> I could almost bet my left index finger on the fact that 99%
>>> of those PGP-signatures are invalid. ...

>>I'll profess some degree of ignorance about PGP signatures, but does
>>it matter if it's valid or not?  Couldn't a spammer generate a
>>perfectly valid PGP signature and use it in their messages to get the
>>lower score?   

RS> I too have large gaps in the operation of PGP, but is it not tied to
RS> an email address or some other publicly available validation of the
RS> senders identity?  
RS> What is the point of using a key for non-repudiation if you can't
RS> identify who sent the message? 

Most definitely -- anyone who has a current PGP or equivalent
installation can verify my signature, ensuring that a) it is a valid
signature, b) it identifies my current email addresses (not the one I use
most often for this list), and c) if you know the people who have
signed/validated my key, then you can have a good confidence level this
message really came from me.

It shouldn't be too hard to identify a syntactically correct PGP
signature. Those that are wrong or incomplete should get a high score
(they might be the cause of human error, but are most likely forged).

Verifying the checksum of the signature (is the signature correct for the
message) would most likely require a local PGP or equivalent
installation, but it shouldn't be too hard for SA to call PGP, feed it
the message, and get a response back. If invalid, give it a middling high
score, and if valid give it maybe a -0.5 (extremely unlikely for spam,
but technically not all that hard to incorporate).

Slightly more complex but certainly not hard should be to allow users to
incorporate their recognized/confirmed identity checksums in local.cf or
user_prefs. For instance, I believe if you use PGP to verify my signature
for this message, you'll find in the verification a line that looks like
> *** Signer:   Robert Menschel <[EMAIL PROTECTED]> (0x38AA1D47)
The format, name, and even email address would be easily forged, but only
someone who actually has my public key should be able to forge the
hexadecimal identification.

If we added the ability to include lines in local.cf or user_prefs like
> validpgp 0x38AA1D47
(a list of space-separated hex numbers), then THOSE specific signatures
could score strong negatives, similar to a whitelist. (I'd like to see
the ability for each user to set their score, perhaps with a
> SCORE VALIDPGP -2.0
line in local.cf or user_prefs.

We'd need to have an installation option, or a local.cf option, which
allows this PGP overhead to be turned on or off (default off, assuming
the installation doesn't have PGP).

It seems like this should be feasible.  Any chance something like the
syntax validation might be incorporated into 2.7, and the actual PGP
interface into 3.0?

Bob Menschel

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPvzyvpebK8E4qh1HEQKOogCfbLNsP2wT8cFIgN4L/ktnqv5I30cAn259
y1tJ540sGzsrY3zJrkexff8V
=wf1J
-----END PGP SIGNATURE-----




-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to