[PLUG] what is the point of PGP-signed emails?

[Zot O'Connor]

On Thu, 2003-12-11 at 10:55, Jason Van Cleve wrote:
> Quoth Zot O'Connor, on Wed, 10 Dec 2003 21:40:44 -0800:


>   Anyway, this
> is getting a tad complex, so let me try to get it strait.  Email servers
> (SMTP?) would require a razor-PGP-like filter,

The trick is that this can be done at the email servers *and* the
client.  Currently some spam filters operate on the server before relay,
before delivery and at the client end.

If we allow for all those cases then power users and business users, who
want fast email, would likely turn off the delay, but still report.

In actuality if you check upon "attempt to pull mail" (either from the
client or the server), the the two delay is likely to be there for
non-power user and non-business users.

Also the razor-pgp would be a blacklist.  White Lists are local.

> 
> The following problems seem to remain:
> 
> If all the mail servers are stalling emails for our hypothetical two
> hours, who in that time will read and report them as spam?

As I mentioned above, I did not intend to quarantine the mail, but that
is not a bad idea.  Something like this may work
  If spamscore > 6 and key == unknown then hold

This could just work like bulk/spam filters work now, they put the
likely spam in a mailbox for you to decide.

By linking the spam score with the key, you will catch even more.

>   It would
> have to be a large subset of users, for every spam is not sent to
> everyone.

spam is pretty non-discriminatory.  Scams used to be, but now are not.

>   I suppose it would be voluntary, and if enough people get
> tired of doing it and revert to waiting themselves, the plan will fail.

If they had to wait yes.

> 
> If the two-hour wait period is effective after all, spammers will resort
> to signing each email with a new key, rendering the probationary period
> moot.  

Yes which make them work harder, but not you and I.  You still have the
forced then to work, and sign.

> (Or they will send only a small number of emails per key, which
> would be about as effective.)

This is a good thought (or evil thought).

>   You say the process of generating keys
> will slow them down appreciably.  I doubt it.  Spammers are
> sophisticated assholes.  And all of this will encourage them to hijack
> other people's machines to do their work.
> 

Even if they hijack, it makes their job more difficult, and *clearly*
illegal.  No free speech arguments now.

Just because it forces spammers to hijack other servers does not make it
bad.  I think it is good.  It makes then state their position, risk far
more personal issues, and work harder. 

To some extent it is like saying jewel thieves now have to break into
stores because the mean owners put locks up.

> Another possibility is that spammers will generate a key, send a few
> legitimate, hi-how-ya-doin' type emails to his friends (if he has any)
> in order to make the key "known", then use it to send five million
> penis-pill ads, many of which will reach their destinations before
> razor-pgp knows what hit it.

No this will not work.  The razor-pgp is a blacklist.  Whitelists are
local.  So his friends will be the only ones to get his spam.

> 
> 
> I'd like to know if there is any feasibility to the idea of a universal
> web of trust, where users worldwide would have to join, or their emails
> would be filtered by default.  Thus unknown keys would never be
> delivered at all.
> 

I think universal webs of trust do not work.  Small webs of trust do,
and large webs of distrust work.

The trick is getting people to use a verifiable delivery systems (pgp
keys) in the first place.  Then webs of [dis]trust start to work.

This is how it works in the real world.  You know Bob, so if Bob say the
show is good you trust him.  If an unknown John say its good, you
hesitate.  If you meet John socially and get to know him, then you trust
him.

-- 
Zot O'Connor

http://www.ZotConsulting.com
http://www.WhiteKnightHackers.com