[Asterisk-Users] VOIP Spam

Tracy R Reed treed at copilotconsulting.com
Sat Apr 17 17:46:13 MST 2004 

On Sun, Apr 18, 2004 at 10:22:08AM +1000, Duane spake thusly:
> Just a little matter of key distribution, how do you know the CA key 
> given to you is actually the CA? Especially since Thawte no longer does 
> PGP key signing and verisign is making too much money from PKI...

Same way I know someones key is theirs by the pgp fingerprint. It's well
publicized and they use it quite a bit. 

> The are a number of issues with the PGP model, it contains an email 
> address, how do you match that against a hostname? As far as I know 
> there is no hardware devices to store pgp keys, or accelerator cards 
> (crypto does chew through a bit of CPU) both devices exist for PKI 
> certificates/keys...

Not sure what you mean by matching an email address against a hostname but
a lot of the crypto accelerator cards implement fundamentals that could be
used in either system and more specific hardware devices would certainly
come along if more people used it. But with the speed and SIMD capability
modern cpu's I'm not too concerned either way.

> Mozilla Foundation, it's developers and direct support staff 
> (paid/unpaid) are currently reviewing about a dozen or so CAs for 
> inclusion in their browser, CAcert is one of them, which will be good 
> for the community if we can get in, as we provide all certificates for 
> free...

Very cool.

> This would be good and bad, if you force the issue you will end up with 
> 2 things, less people being able to email you, and in the very long term 
> encrypted spam so we end up with them beating scanners that way...

If the MUA authors forced the issue everyone would use crypto. Look at
what Outlook did for html mail. Encrypted spam would be difficult for the
spammers to do. It would consume huge resources, make spam a lot more
expensive, and if they signed the spam with a trusted key such that my MUA
trusted them you can be sure the signer would revoke his signature lest he
get the signatures on his own key revoked by someone.

> and runs the program in the zip file infecting themselves... So I 
> foresee a lot of missuses from crypto as much as anything else if/when 
> the general populace gets into it...

Some very interesting points. Especially about encrypted spam confounding
the government. Although I doubt they would encrypt spam it does add chaff
to the wheat to help hide us all. Just like the everyone sending their
letters in envelopes instead of on postcards analogy.

> So that's why people still get broken into and all their contents stolen :)

On a per capita basis it's not nearly as often as computers get broken
into. :) Whenever anyone bothers to try to physically secure their stuff
they usually do a pretty good job. Not so with computers.

-- 
Tracy Reed                     The attachment is a digital signature.
http://copilotconsulting.com   More info: http://copilotconsulting.com/sig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20040417/10b41fa5/attachment.pgp

More information about the asterisk-users mailing list