[Asterisk-Users] VOIP Spam

Duane digium at aus-biz.com
Sat Apr 17 17:22:08 MST 2004 

Tracy R Reed wrote:

> I prefer the PGP model because it includes the CA model. That is to say
> that you can still have a CA within the PGP model. Both myself and my
> colleague from Africa could pay a central CA we both trust (Verisign,
> Thawte, whoever) to sign our keys and connect us in the web of trust. 

Just a little matter of key distribution, how do you know the CA key 
given to you is actually the CA? Especially since Thawte no longer does 
PGP key signing and verisign is making too much money from PKI...

The are a number of issues with the PGP model, it contains an email 
address, how do you match that against a hostname? As far as I know 
there is no hardware devices to store pgp keys, or accelerator cards 
(crypto does chew through a bit of CPU) both devices exist for PKI 
certificates/keys...

> Yep. We end up with collusion which prevents competition in the CA space.
> It's a shame common browsers only support a few select CA's.

Mozilla Foundation, it's developers and direct support staff 
(paid/unpaid) are currently reviewing about a dozen or so CAs for 
inclusion in their browser, CAcert is one of them, which will be good 
for the community if we can get in, as we provide all certificates for 
free...

> I think huge improvements are needed in software to handle this. We really
> need to encourage everyone to use signatures etc. and make them so
> prevalent that email programs etc. will simply refuse to accept or display
> non-signed and authenticated messages/connections/whatever.

This would be good and bad, if you force the issue you will end up with 
2 things, less people being able to email you, and in the very long term 
encrypted spam so we end up with them beating scanners that way...

It's a balancing act, push things one way you have to even them up the 
other...

There will be 3 consequences from mass encryption adoption, encrypted 
spam, and forcing governments to do due diligence as they will no longer 
be able to simply passively collect any traffic passing their monitoring 
devices, they'd have to go back to a situation of only targeting people 
they really had to, this is obviously a good thing, and even the 
encrypted spam, while being annoying would tick any gov surveillance off 
due to sheer number of spam messages that could be encrypted that would 
be the equivalent of noise to them... 3rd is a little more serious, 
since most people wouldn't care about due diligence with crypto they 
wouldn't care if they did it right or who they accepted, this is clearly 
visible from the latest virus trends where they exploit human ignorance, 
greed and stupidity not exploiting computer software. What else could it 
be called where a person opens a zip file, uses a password in the email, 
and runs the program in the zip file infecting themselves... So I 
foresee a lot of missuses from crypto as much as anything else if/when 
the general populace gets into it...

> Indeed but that is a far better situation than we are in now. We know very
> well how to deal with physical security due to thousands of years of doing
> so.

So that's why people still get broken into and all their contents stolen :)

-- 
Best regards,
  Duane

http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://happysnapper.com.au - Sell your photos over the net!
http://e164.org - Using Enum.164 to interconnect asterisk servers

More information about the asterisk-users mailing list