- From: Cem Karan <Cem.Karan@usa.alcatel.com>
- Date: Sat, 28 Apr 2001 10:40:31 -0400
- CC: www-talk@w3.org
This should actually be aimed towards any group writing the RFCs associated with email, but I don't know of a mailing list directly associated with them. I know the international nature of this mailing list, and I don't know if everyone knows the definition of 'spam' as used in the USA. Spam is unsolicited bulk email, kind of like what this mailing list has been subjected to recently. I mention this because spam has started to make the usefulness of email go down. My personal inbox usually has a ratio of about 3:1 of spam:useful mail. This is probably going to get worse as time goes on. Currently, there are several different strategies to cope with it, but they all deal with the same fundamental problem/blessing of email: there is virtually no cost associated with sending a message. Direct mail advertisers must spend money in order to send you mail. This imposes a low, but totally negligible cost. The cost helps limit the amount of mail that can be sent out. Email, as I said before, has a very low, almost negligible cost associated with it. If we could introduce an artificial cost, one that is easy to implement, then there would be dissentive to bulk emailers. A possible way of introducing a cost is through hash cash. The idea is based on brute force cryptanlysis. In order to break an unknown cryptographic message, you must try to calculate all of the possible keys, matching them to the message. Eventually, you will find the key, and break the message. However, to do so takes time. And that is what breaks a spammer. If it takes time to send messages, they can't send them to everyone in the world. Here is how the scheme works: As a user, you are allowed to create any number of hash keys, each of which can be any length that you wish. You can invalidate and create new keys at any time (This would require secure validation that proves that only you are trying to invalidate or create new keys. Otherwise, anyone can create a new simple to break key in your name, and continue to send you messages) When someone wants to send you a message, they need to break one of the keys before they can send you the message. People you don't know will most likely try to break the shortest/weakest key as that will take the least amount of time. People you know can be given the key to one of the longer hashes, which will allow them to break the hash immediately, instead of having to use brute force. Anyone who doesn't have the key can still try a brute force attack, but if the key is long enough, then this will take an extraordinary amount of time, severely limiting the number of people that they can spam. The result is a system that has an associated cost that is user controllable and easy to update. See http://www.cypherspace.org/~adam/hashcash/ for more details and an implementation that you can play with. There is one major problem with this though. It would require a major overhaul of the email systems that are in place. This would not be negligible. I think that it would be worth the costs, but I would like to know what others thought as well. Cem Karan
Received on Saturday, 28 April 2001 10:40:45 UTC