W3C home > Mailing lists > Public > www-talk@w3.org > May to June 2001

hash cash? or individually signed email

From: Al Gilman <asgilman@iamdigex.net>
Date: Thu, 03 May 2001 11:44:41 -0400
Message-Id: <Version.32.20010501193012.041ed220@pop.iamdigex.net>
To: steveg@pa.dec.com (Steve Glassman), Cem.Karan@usa.alcatel.com (Cem Karan)
Cc: Aaron Swartz <aswartz@swartzfam.com>, www-talk@w3.org
[This is a little wooly, but I think it's time to share it and stop trying to
write a shorter letter.  - Al]

At 03:38 PM 2001-05-01 -0700, Steve Glassman wrote:
>
>If the server doesn't automatically bounce the non-hash cash messages,
>then the recipient eventually has to screen the non hash cash messages
>and they are spammed.
>
>So you are spammed if you do and spammed if you don't.
>
>Steve
>
>p.s. There are other alternatives worth discussing, but I didn't want to
>step on my tag line :-) 
>

I think that there are better things to do with the advertiser's "earnest CPU"
expenditures than just busywork, breaking a hash.

The extra-effort part in one alternative that I was wondering about was simply
to sign the letter addressed to you individually, in a way that involves your
address in the computation of the signature along with the contents of the
message so as to make it impractical to generate one signature for multiple
recipients.  Security upgrades on this can be considered, including that they
have to use not your address but a one-time token that you issued them, that
they have to provide a certificate authenticating that they are who they say
they are, etc.  Yes, this nixes anonymous mail.  

Checking that the signature is kosher is a price you are willing to pay to
know
that the sender is bona fide interested in talking to you, and not just
flooding the IP waves for a return rate in the low parts per million.

This creates a "certified mail" mode that you will read ahead of the random
walk-ons.

Nothing I can think of eliminates, for me, the need to make the final
determination to read something or not to read it myself.  Mail from
technologically-lagging strangers is included in what I want to read.  But
spams from bogus opt-out lists that are just looking for me to reply to show I
am a real mailbox -- I can do without even opening those messages.

So I would really appreciate being able to distinguish low-budget gigamailers
from conservative businesses who are eager to demonstrate that they are a
real,
going concern and are willing to winnow down their recipients list until they
don't mind cranking on individual signatures for the messages.

I believe a scheme something like this would appeal to the ethical business
community, and drawing the line between scammers and real businesses is likely
to resonate better with Joe Public as well.

The mailing list problem is handled in two parts.  To post to the list you
have
to credential yourself as a known article.  This can be done by the certified
mail route or various variations on that.  Basically this means that you are
well enough identified so that a) repeated abuse of lists can be tracked
and b)
adverse publicity can be applied if you habitually abuse lists.

Once accepted for list distribution, a post is signed by the list.  Inbox
filtering distinguishes between mail from known lists where the signature may
be generic across recipients and mail from unknown parties where the signature
must be specific to the message you got including the addressing.

So the key is authentic information as to origination, plus individual
attention of some moderate computational cost paid to the message addressed to
_you_.

That's the pipe dream of the hour in this department.

Al
Received on Thursday, 3 May 2001 11:39:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:26 GMT