PGP messages getting flagged as spam

Jason Harris jharris at widomaker.com
Fri Oct 19 05:56:59 CEST 2007


On Wed, Oct 17, 2007 at 09:34:34AM +0200, Sven Radde wrote:

> Probably true, but how will spammers get signatures on their stuff that
> are valid *for me*? They would have to compromise one of the keys that
> are valid on my keyring or one that would be considered trustworthy by
> means of the web-of-trust.

Why not just take some signed content from a key in the strong set,
like this message, and add some unsigned spam to it?  It would be
a great way to ruin keys by making them "spam-keys."

> Maintaining a dedicated database of "spam-keys" that had been
> trustworthy but were used for spam would help, too (to assign messages
> signed by those keys a bad score).

(These are best revoked by their owners, of course.)

Unfortunately, these databases might be naively implemented as
keyservers, or existing keyservers could start being burdened with
"votes" in the form of signatures and/or revocations from any number
of signers (voters).  At most, you would only want to publish
fingerprints of such keys rather than helping propagate and/or
bloat them.

Worse, how do you determine that some replayed signed content was
indeed replayed?  Does everyone now have to start publishing lists
of the hashes for all their unencrypted, signed messages and the
intended recipient(s) for each message?  How would these lists
be verified?

-- 
Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 313 bytes
Desc: not available
Url : /pipermail/attachments/20071018/3bf2f79e/attachment.pgp 


More information about the Gnupg-users mailing list