At 10:54 AM 4/29/04, you wrote:
>Message: 10
>Date: Thu, 29 Apr 2004 00:39:16 -0700
>From: Carl Parrish <cparrish@carlparrish.com>
>To: plug-discuss@lists.plug.phoenix.az.us
>Subject: Re: Secure mailing lists Was: my public key
>Reply-To: plug-discuss@lists.plug.phoenix.az.us
>
>Kevin Brown wrote:
>
> >>>> Hmmm... So how will sharing public keys stop spammers from using your
> >>>> (or the list's) email address?
> >>>
> >>>
> >>> I was thinking about this the other day. Would it be possible to
> >>> make a
> >>> secure mailing list?
> >>
> >
> > Sounds less like an issue with an insecure mailing list than just a
> > mail with a forged from header.
> >
> >>> So lets say that the list had a GPG key, and all the users had GPG
> >>> keys. Now if the user, when sending an e-mail to the list, used the
> >>> list's key and encrypted the message with that key. Then, when the
> >>> list
> >>> manager got the message, it decrypted it, checked the signature, and
> >>> then reencrypted it to all the users on the list. (I'm assuming
> >>> everyone sends their public key as part of the mailing list sign up)
> >>>
> >>> Would that be a secure list?
> >>
> >
> > Secure, yes, good for the mail server, probably not as the load on the
> > server would be much higher.
> >
> >> How would one browse the archives of encrypted messages?
> >
> >
> > One couldn't without the servers private key.
> >
> >> Another questions it made me think of is would this prevent spammers
> >> from
> >> stealing email addresses?
> >
> >
> > It wouldn't and doesn't stop them from using the list address as the
> > reply-to (same thing with worms and viruses as they also forge headers).
> >
> >> I'm thinking the encryption is only done on the message content, would
> >> someone please correct me if I'm mistaken?
> >
> >
> > Correct as the other mail servers have to know how to route the
> > message and they can't do that on encrypted headers.
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
>Perhaps I should make this a separate thread however I feel the need to
>bring this up. The open source community is going to have to address
>these concerns before M$ does. If we do it we have a small chance of
>keeping the standards open if M$ comes up with a viable (or even
>believable ) solution before we do we can say goodbye to an open
>internet. Everyday now I receive bounce mail that I never sent out. I
>have to assume that some spam list somewhere is sending spam out
>claiming to be from me. We have to be able to stop that. It shouldn't be
>too hard to create a mailing list that only allows signed messages
>though. But perhaps we should be thinking on a grander scale how about a
>mail server that only routes gpg signed msgs. How about a mail filter
>that puts all unsigned messages in a seperate folder. None of the
>current issues with mail are really big. In fact I believe the
>technology is mostly there already but if we don't put them all together
>(think napster) M$ is going to hijack the web.
>
>--
>Carl Parrish(cparrish@carlparrish.com)
>http://www.carlparrish.com
>--
>Registered Linux User #295761 http://counter.li.org
I think that prior discussions on this issue had concluded that the
"sending" ISP needs to verify that the sending user is who he/she says they
are. Earthlink uses SMTPAUTH. If that is not adequate, what is?
--
Fred Wright
fawright-at-earthlink-dot-net
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)