UCE - a simpler approach using just digital signing?
Sascha Silbe
sascha-ml-cryptography-metzdowd.com at silbe.org
Sat Jan 31 06:35:48 EST 2009
On Fri, Jan 30, 2009 at 01:47:23PM -0800, Ray Dillinger wrote:
> Each time Fred gives out his email address to a new sender, he creates
> a trust token for that sender. They must use it when they send him
> mail.
That's basically what I'm using, just without the digital signature
part: each person/organisation/website/whatever gets a different email
address for communicating with me (qmail makes this easy to implement);
mailing list and bugtracker addresses are filtered to accept only mail
with the correct headers.
It works much better than content filters, but it's basically limited to
1:1 communication (with a mailing list looking like a single entity as
it forwards traffic both ways). Most importantly, it breaks for CC
parties (*). Address lists on paper given out to a large number of
participants are problematic as well (those utilizing paper lists are
mostly non-tech-savvy - thus prone to attacks - and changing the address
is hard due to the long update interval of the list).
To get on-topic again:
Another scheme (that could be combined with the above one to solve only
the CC party problem) would be accepting only PGP mail and use a
manually updated whitelist / web of trust of PGP keys. Unfortunately,
PGP still isn't widespread enough to reject non-PGP mails and the ones
not using it are often far more susceptible to address harvesting
malware, limiting the usefulness of such a filter.
(*) CC party: group discussion without predetermined participants (so no
mailing list could be set up in advance)
CU Sascha
--
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20090131/3309270a/attachment.pgp>
More information about the cryptography
mailing list