Theodore Ts'o wrote:
...Signed e-mail is useful for assuring that e-mail message sent at one point in time is the same as an e-mail message sent earlier. (Not necessarily just for list mail, but also for person-to-person mail.)
...For the specialized case of preventing SPAM, it's not necessarily necessary to do the full authenticated e-mail where we know the
someone, your public key figureprint must either be on a list of
acceptable senders, or you must submit some kind of mathematical
evidence that you have spent 5-10 minutes of CPU time crunching on
some particular problem.
Agreed. CPU time falls under the same class of schemes as the address validity test that we already have for list e-mail; the spammer has to invest more time and money, and have a bigger risk of capture, the more we demand from unknown senders.
On list enrollment, you could even demand that the same address be valid for some time, such as a day, through a delayed validation scheme. Hit and run spammers might not be able to use the same mail address for a very long time. Could we use the same for person-to-person e-mail? If I read the spam a day after it has been sent, will the spammer's mail agent still be there for an automatic ack that the address is valid?
In general, I'm very much in favor of these types of mechanisms as opposed to a knee jerk "lets authenticate everyone and see if it helps" approaches ;-)
(This doesn't mean that such mechanisms are ready to be deployed and problem free in all cases.)
Yeah, some special provision would be needed for CPU-limited PDA's,
but most PDA's that I've seen don't attempt to talk to the network
directly; they generally go through some kind of mutually trusted
gateway box that could do the CPU crunching for them.
And speaking of problems, I do think the imparity between different devices is a real issue for the CPU time method. *Your* PDA may not talk to the network directly, but *my* phone runs IMAP, SMTP, SSH, SSL, HTTP, and streaming video from the net in addition to the usual office applications such as Doom and C64 emulator ;-) Given this, some people might argue that my phone can then afford the CPU crunching as well. Perhaps, but the problem is that while the capacity in the low-end increases, the same happens for the high-end as well. I'd claim that the relative speed difference stays constant over time.
I don't have a good suggestion on how to resolve this, however. Perhaps the lowest common denominator is still a big enough deterrent? Note that help from a network entity is not likely solve this problem. Think about it: the average users are not going to install their own network helpers. They are going to rely ISPs' servers. So, we'd see SMTP servers that do the number crunching on behalf of the ISP's customers. Enter a spammer who claims to have a small device...
--Jari
