At 10:54 AM 4/29/04, you wrote: >Message: 10 >Date: Thu, 29 Apr 2004 00:39:16 -0700 >From: Carl Parrish >To: plug-discuss@lists.plug.phoenix.az.us >Subject: Re: Secure mailing lists Was: my public key >Reply-To: plug-discuss@lists.plug.phoenix.az.us > >Kevin Brown wrote: > > >>>> Hmmm... So how will sharing public keys stop spammers from using your > >>>> (or the list's) email address? > >>> > >>> > >>> I was thinking about this the other day. Would it be possible to > >>> make a > >>> secure mailing list? > >> > > > > Sounds less like an issue with an insecure mailing list than just a > > mail with a forged from header. > > > >>> So lets say that the list had a GPG key, and all the users had GPG > >>> keys. Now if the user, when sending an e-mail to the list, used the > >>> list's key and encrypted the message with that key. Then, when the > >>> list > >>> manager got the message, it decrypted it, checked the signature, and > >>> then reencrypted it to all the users on the list. (I'm assuming > >>> everyone sends their public key as part of the mailing list sign up) > >>> > >>> Would that be a secure list? > >> > > > > Secure, yes, good for the mail server, probably not as the load on the > > server would be much higher. > > > >> How would one browse the archives of encrypted messages? > > > > > > One couldn't without the servers private key. > > > >> Another questions it made me think of is would this prevent spammers > >> from > >> stealing email addresses? > > > > > > It wouldn't and doesn't stop them from using the list address as the > > reply-to (same thing with worms and viruses as they also forge headers). > > > >> I'm thinking the encryption is only done on the message content, would > >> someone please correct me if I'm mistaken? > > > > > > Correct as the other mail servers have to know how to route the > > message and they can't do that on encrypted headers. > > --------------------------------------------------- > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > To subscribe, unsubscribe, or to change you mail settings: > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > >Perhaps I should make this a separate thread however I feel the need to >bring this up. The open source community is going to have to address >these concerns before M$ does. If we do it we have a small chance of >keeping the standards open if M$ comes up with a viable (or even >believable ) solution before we do we can say goodbye to an open >internet. Everyday now I receive bounce mail that I never sent out. I >have to assume that some spam list somewhere is sending spam out >claiming to be from me. We have to be able to stop that. It shouldn't be >too hard to create a mailing list that only allows signed messages >though. But perhaps we should be thinking on a grander scale how about a >mail server that only routes gpg signed msgs. How about a mail filter >that puts all unsigned messages in a seperate folder. None of the >current issues with mail are really big. In fact I believe the >technology is mostly there already but if we don't put them all together >(think napster) M$ is going to hijack the web. > >-- >Carl Parrish(cparrish@carlparrish.com) >http://www.carlparrish.com >-- >Registered Linux User #295761 http://counter.li.org I think that prior discussions on this issue had concluded that the "sending" ISP needs to verify that the sending user is who he/she says they are. Earthlink uses SMTPAUTH. If that is not adequate, what is? -- Fred Wright fawright-at-earthlink-dot-net --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss