>>The particular scheme you suggest sounded like it might be possible >>for a spammer to subscribe to a real list and re-use its >>authetication header on spam, since you are only signing the >>Date: header, not the message body... > >No, because the spammer would not actually ever be in possesion of the >_true_ list owner's private key. Thus, he could not properly encript >the date/timestamp so that it would properly decrypt with the corresponding >public key. The spammer just re-uses the date/timestamp as well as the encrypted key. Days-old mail from mailing lists is (unfortunately) not rare. Stan
