On Fri, 30 May 2003 09:14:51 EDT, Dave Aronson said:
> "Tony Hain" <[EMAIL PROTECTED]> wrote:
> 
>  TH> Mail list servers would be a problem if we only use public
>  TH> key, so another part of the new system could be establishing
>  TH> a symmetric key as part of subscribing to a mail list.
> 
> Or alternately, some kind of whitelisting, so that encryption is not 
> necessary at all.

The problem is that to be effective, the whitelisting has to happen at
your mail server, not your MUA.  And although there's at least a *chance*
of your MUA twigging onto the fact that you sent a 'subscribe' request,
it's not clear that your provider's MTA can check and auto-whitelist your
subscriptions (especially since the 'subscribe' in general does *NOT*
give a hint of what MAIL FROM: to whitelist (especially if the list
is using VERPs or similar)....

And of course, "fill out this form on a webpage" subscriptions are a near-total
loss for automagic whitelisting - which means that the provider's phone WILL
ring.. ;)

It's not clear that you can expect users to hand-whitelist correctly either,
especially if the list doesn't give you an RFC2919-style hint of what to
whitelist (and see my comment about VERPs)....

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to