JH> Date: Sat, 5 Feb 2005 19:18:53 -0000 JH> From: J�rgen Hovland JH> A cryptographic signature would be a perfect guarantee as it can be JH> used for direct identification and authorisation if you were No, it's not direct. You trust whoever signed the key. Note that I agree PGP key signing is less prone to attack than unsigned SPF. The severity of the difference is a matter for discussion... JH> guaranteed that the only user of the signature was infact you and JH> not the spyware on your machine. The implementation is everything. A cryptosig can ensure that the ISP didn't alter the message. AFAIK, most MUAs pull cryptosigs from the registry/configs. Could malware do the same? You bet. JH> To prevent spyware using your signature you can for example use some JH> sort of local signature engine and a fingerprint reader. It isn't Specifics, please. You'd need to ensure that the fingerprint reader would operate at a protection level that the spyware couldn't access. That's currently an unrealistic assumption. A worthy goal, but a bit of a stretch these days. JH> possible to steal the private key because only the engine can decode JH> it. Emails can only be signed with that signature by the engine, and JH> the engine needs your fingerprint first. But who really wants to JH> stick your thumb in the reader for every email you send? *shrug* Put a print reader on a keyboard... hold down finger/thumb a few seconds to authenticate... flush the queue for messages created prior to auth... [ snip ] JH> Now that you are identified and authorised - I can still send you JH> spam! How can I stop you from doing it? I can remove your Exactly. You can still send spam, but the sender is accurate. IMNSHO there is benefit in quickly determining *who* is responsible. I don't claim to have the FUSSP. The lack of such does not mean that partially-effective measures are worthless. (Hint: Nothing in the history of mankind has stopped murder. Should we discount all laws, punishments, et cetera?) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.