-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On Mon, 30 Aug 2004, Eric S. Johansson wrote:
I see that as a spammer hole. either by mailing through the entire list or through collecting addresses of active participants, one can use that logic as a way of enabling parallel double spending. not to mention problems with distinguishing when the use the mailing list exclusion vs. not. A third failing is the ability to forge a message to make it look like it comes from the mailing list.
================
it may or may not be. i'm not using the world's best computer here, but a 20-bit stamp for everyone isn't too big a burden for me. moore's law will also apply to legitimate user's of hashcash ;)
I'm on the fence on that one as well. But the enterprise argument is the pushes me in the direction of saying it's unreasonable.
============
at the egress point for any aggregation of any number of e-mail users, traffic patterns start to look significantly like a spammer. The greater the aggregation, the greater the likeness.
=============
now I am not talking about the mass mailer. I'm talking about the ordinary organizations such as the typical 500 person or larger size company using e-mail to communicate with customers and suppliers.
I state again that a significant philosophical point should be that the ordinary communications between two parties should not be slowed any more than necessary. this philosophical point is why I'm arguing for something other than hashcash for known party communications. Today I use simple white lists. I want something better.
=============
anything that satisfies this requirement will violate the above requirement: enterprise systems are slow to change.
that may be. But I do believe that a box sitting in front of the mail server will be more acceptable than changing every desktop at least in the short term.
no need to wait for the technology advanced troops to pick up on something for it to be generally useful.
================
there is an unparalleled risk factor created when signatures happen on auto-pilot. public key systems will only result in "signed spam". there would be less spam getting through on a daily basis, but when a machine is cracked before a holiday weekend, and there are 100 people in the address book, those 100 people will likely suffer a DoS from the signed spam they're getting. it's debatable whether that's better or worse than a filter that let's 5% of spam through every day.
which is another argument for the more secure box sitting in front of the mail server. No matter what you do, if a machine is owned, you are screwed. But the benefits of optimizing communications between known parties is a significant argument for white lists by name or public key.
==========
If you rotate keys on a regular basis, then your exploitation window drops unless of course your machine has been compromised at which point, you are screwed.
==============
If you take care and protect your keys with passphrases or external devices, you are much better shape unless you machine has been compromised at which point, you are screwed
===============
for >99% of users, those precautions will not be taken.
I guess I'm trying to say is if you machine has been compromised, you are screwed no matter what. Either you machine is used as a zombie for generating lots of stamps, your address book is ripped off, your keys are ripped off, the data files can be ripped off. And, most people would never know what's happening. They're just screwed.
==========
agreed then: M$ is the problem ;)
summary: public keys can prevent forgery, not spam.
...atom
_________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 -------------------------------------------------
"If the world were merely seductive, that would be easy. If it were merely challenging, that would be no problem. But I arise in the morning torn between a desire to improve the world, and a desire to enjoy the world. This makes it hard to plan the day." -- E.B. White -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures
iQEcBAEBCAAGBQJBNRm8AAoJEAx/d+cTpVciiM8H/2ZKLO5czVDmJemqNmCJccqW DoQAFRAn9J3B13qf9k9C7rsceVrKpxXbnFsU+tf47g2fDrvU4VZGnbY+SBPtzWfV HPNCRzYNOKzshrCIqxYMZYjCTU1IJUQ/1hO/s3n/ifvihshv2nQLuKiURwZA1dnB bSEP8iLjUSZcpVHUdPA/DqodAYF6himdk/tTtfKrALSFXXuhNuTp739BASoX0+Qu K1LPiJDkkPVdPb8MGmxS7l+JtjCQ6xhEhnFRitr3naWHA9J5cXzwRmj4++9yvPge EwZs+nrD8yRY/jO2RkQNU/vcfHosKehVNruG22SZWYsyrXiJkZzOHBOeZklAlcM= =Q/AV -----END PGP SIGNATURE-----