Re: [IETF-PKIX] Certificate Directories and Spam

[Phillip M Hallam-Baker <pbaker@xxxxxxxxxxxx>]

>It seems to me that publicly accessible directories with certificates in
>them, especially those with email addresses conveniently located in the
>subjectAltName field will provide an irresistible source of targets to
>Spammers.  The reason for raising this issue on this list, is that it seems
>to me that if this does happen it could greatly retard the deployment and
>acceptance of an Internet PKI.


If this really is a concern we could include the SHA-1 hash of the email
address in the cert rather than the address itself.

I don't think this is very important however since there are already many
ways for a spammer to get addresses, USEnet, mailing lists etc. 10 million
addresses can be had for fifty bucks. The latest trend being to flood
mail servers with randomly chosen addresses in the hope that one or
two in a thousand will get through.

I proposed a similar scheme for a refusal list. People could sign up on
it and the list could be freely distributed to spammers without the danger
that it would be used as a source of addresses. The problem is that
the folk selling pyramid schemes, junk investments and the favourite
- software to send SPAM have no interest in refusal lists.

I think that the solution to the spam problem is likely to be legislative.
The direct mail industry can fight it through the courts, libertarians
can flame but the junk email is likely to disappear as completely as
the junk fax did. At the very least the adverts for spamming services
would go.

        Phill