In message <199806111918 .
edu>, you wrote:
>It might be feasible to get public key signing of list messages
>folded into new releases of some list software...
Or maybe into a forthcoming RFC (?)
>... But there would be a sigificant time lag getting it adopted.
>The particular scheme you suggest sounded like it might be possible
>for a spammer to subscribe to a real list and re-use its
>authetication header on spam, since you are only signing the
>Date: header, not the message body...
No, because the spammer would not actually ever be in possesion of the
_true_ list owner's private key. Thus, he could not properly encript
the date/timestamp so that it would properly decrypt with the corresponding
>There's also the question ITAR and cyptography; though I think
>this can be bypassed if you can use a scheme that can only
>be used for signing and not for encryption.
History has shown that export from the U.S. is rarely if ever necessary
with these sorts of things. You just get someone in some less anal location
than the U.S. (e.g. Europe) to write the code and put it up on an FTP site
there and then we Americans can _import_ it rather than exporting it.
-- Ron Guilmette, Roseville, California ---------- E-Scrub Technologies, Inc.
-- Deadbolt(tm) Personal E-Mail Filter demo: http://www.e-scrub.com/deadbolt/
-- Wpoison (web harvester poisoning) - demo: http://www.e-scrub.com/wpoison/