[Mailman-Developers] Crypto-sign to post
Stefan Schlott
stefan.schlott at ulm.ccc.de
Thu Nov 9 11:54:38 CET 2006
Re-hi,
> I brought this up on the Cairo mailing list recently
> <http://lists.freedesktop.org/archives/cairo/2006-November/008345.html>
> and Carl Worth brought up the idea of a simple option to accept any post
> that's cryptographically signed, regardless of subscriber status. I
> liked this idea for several reasons.
>
> 1. I've never seen signed spam
> 2. Most mail programs have some way to sign mails
> 2. When spammers do start signing spam it allows a straightforward
> transition to a real web-of-trust style model.
I already received some spam messages including GPG markings. They were fake,
of course; they were used to fool simple scoring systems (e.g. if message
contains "BEGIN PGP SIGNED MESSAGE", it is most likely no spam).
As you mentioned, signing of a message is easy; so it is easy to sign a spam
message, too. The problem is: Which key is used to sign the message, and how
do you determine whether a key belongs to a spammer or to an ordinary user?
The signature alone does not solve your problem.
The (only?) way to tell the mailing list that your key is to be trusted is the
same procedure as usual: Register before post. The advantage you'll gain by
verifying signatures is independence of the sender's address:
- Sender spoofing becomes impossible (the signature cannot be forged)
- No more hassle with different mail accounts (as long as the signature
verifies, the ml will deliver the mail regardless of the sender's address)
Follow-up problem (or implementation detail, call it as you like it): Message
freshness and partially signed messages. A spammer could capture a signed mail
and repost it to a list; the spam message could be inserted at an unsigned
part. If the list checks if some part is signed, the spam will be delivered;
if the list verifies that the whole message is signed, you might have a lot of
trouble with users using a buggy mail client.
Another possible problem: Verifying a cryptographic signature is a rather
"expensive" operations (in terms of CPU time), on a high traffic server this
will have a severe impact.
Please don't get me wrong: I think using signatures (and probably encryption,
too) is a good idea - I'm just pointing out thoughts we made up when trying to
hack gpg and/or s/mime support into mailman. In course of that project, we
tried to implement a "post if signature verifies", too. If you want to have a
look at it, see:
http://non-gnu.uvt.nl/mailman-ssls/
My initial efforts for an encrypted mailing list are at:
http://stefan.ploing.de/linux/gpg-mailman
Stefan.
More information about the Mailman-Developers
mailing list