Keyservers and Spam

Jeffrey Kay jeff at k2.com
Tue Jun 10 12:43:05 EDT 2003 

Jill --

I'm thinking that you may have answered your own question.  The problem
really lies in the fact that none of us uses secured e-mail exclusively.
If so, then following a chain of signers to validate the sender creates
the essence of a whitelist, thereby avoiding most spam.  

However since we don't secure all messages that we send, we're
essentially taking the risk of being spammed by maintaining a published
e-mail address as well as no mechanism to determine if the mail is from
someone legitimate.  This is the basis of these challenge/response
anti-spam systems.  You e-mail me, my system challenges you to reply
with a password or some other data, and I verify and then accept your
e-mail.  If you forced everyone who sent you e-mail to do so using PGP,
you'd end up with two piles of mail -- those who had an acceptable chain
of signers and those who didn't, essentially the same effect as the
challenge/response systems.  It wouldn't matter if the keyserver was
completely open or not.

So back to the original question you posted -- "It seems to me that the
possibility that spammers might harvest PGP keyservers for email
addresses is a serious disincentive to using keyservers. Does anyone
have any thoughts on this?".  Any mechanism which publishes your e-mail
address is going to be a bad thing from a spam perspective unless you
are using other countermeasures.  This is no different than a telephone
number (which I now use Call Intercept to avoid telephone solicitors).
It seems to me that the world breaks down into two different groups --
those who religiously protect their access identifiers (e-mail addresses
and phone numbers) and those who don't.  You have consequences of each
-- limited accessibility is traded off against spam.  

Interesting issues around this, and much discussed lately.

Cheers --

jeffrey kay 
weblog <k2.com> pgp key <www.k2.com/keys.htm> aim <jkayk2>
share files with me -- get shinkuro -- <www.shinkuro.com>

"first get your facts, then you can distort them at your leisure" --
mark twain 
"if the person in the next lane at the stoplight rolls up the window and
locks the door, support their view of life by snarling at them" -- a
biker's guide to life
"if A equals success, then the formula is A equals X plus Y plus Z. X is
work. Y is play. Z is keep your mouth shut." -- albert einstein


> -----Original Message-----
> From: owner-cryptography at metzdowd.com 
> [mailto:owner-cryptography at metzdowd.com] On Behalf Of 
> Jill.Ramonsky at Aculab.com
> Sent: Tuesday, June 10, 2003 11:54 AM
> To: dahonig at cox.net; cryptography at metzdowd.com
> Subject: RE: Keyservers and Spam

...

> So ... if you believe (as I do) that a PGP key is 
> untrustworthy unless there
> is a chain of signers reaching from you to it, matching the 
> settings in your
> PGP configuration file, then posting a bogus key becomes completely
> pointless.
> 
> On the other hand ... if the key is NOT bogus, then it has my 
> real name on
> it, and the spam problem remains.

...


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list