[13555] in cryptography@c2.net mail archive
RE: Keyservers and Spam
daemon@ATHENA.MIT.EDU (Jeffrey Kay)
Tue Jun 10 12:52:32 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Jeffrey Kay" <jeff@k2.com>
To: <Jill.Ramonsky@Aculab.com>, <cryptography@metzdowd.com>
Date: Tue, 10 Jun 2003 12:43:05 -0400
In-Reply-To: <8C9A566C643ED6119E8900A0C9DE297A324683@saturn.aculab.com>
Jill --
I'm thinking that you may have answered your own question. The problem
really lies in the fact that none of us uses secured e-mail exclusively.
If so, then following a chain of signers to validate the sender creates
the essence of a whitelist, thereby avoiding most spam.
However since we don't secure all messages that we send, we're
essentially taking the risk of being spammed by maintaining a published
e-mail address as well as no mechanism to determine if the mail is from
someone legitimate. This is the basis of these challenge/response
anti-spam systems. You e-mail me, my system challenges you to reply
with a password or some other data, and I verify and then accept your
e-mail. If you forced everyone who sent you e-mail to do so using PGP,
you'd end up with two piles of mail -- those who had an acceptable chain
of signers and those who didn't, essentially the same effect as the
challenge/response systems. It wouldn't matter if the keyserver was
completely open or not.
So back to the original question you posted -- "It seems to me that the
possibility that spammers might harvest PGP keyservers for email
addresses is a serious disincentive to using keyservers. Does anyone
have any thoughts on this?". Any mechanism which publishes your e-mail
address is going to be a bad thing from a spam perspective unless you
are using other countermeasures. This is no different than a telephone
number (which I now use Call Intercept to avoid telephone solicitors).
It seems to me that the world breaks down into two different groups --
those who religiously protect their access identifiers (e-mail addresses
and phone numbers) and those who don't. You have consequences of each
-- limited accessibility is traded off against spam.
Interesting issues around this, and much discussed lately.
Cheers --
jeffrey kay
weblog <k2.com> pgp key <www.k2.com/keys.htm> aim <jkayk2>
share files with me -- get shinkuro -- <www.shinkuro.com>
"first get your facts, then you can distort them at your leisure" --
mark twain
"if the person in the next lane at the stoplight rolls up the window and
locks the door, support their view of life by snarling at them" -- a
biker's guide to life
"if A equals success, then the formula is A equals X plus Y plus Z. X is
work. Y is play. Z is keep your mouth shut." -- albert einstein
> -----Original Message-----
> From: owner-cryptography@metzdowd.com
> [mailto:owner-cryptography@metzdowd.com] On Behalf Of
> Jill.Ramonsky@Aculab.com
> Sent: Tuesday, June 10, 2003 11:54 AM
> To: dahonig@cox.net; cryptography@metzdowd.com
> Subject: RE: Keyservers and Spam
...
> So ... if you believe (as I do) that a PGP key is
> untrustworthy unless there
> is a chain of signers reaching from you to it, matching the
> settings in your
> PGP configuration file, then posting a bogus key becomes completely
> pointless.
>
> On the other hand ... if the key is NOT bogus, then it has my
> real name on
> it, and the spam problem remains.
...
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
