Great Circle Associates List-Managers
(November 1999)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: AOL Situation Resolved, 2 (vetting)
From: garyb @ fxt . com
Date: Fri, 19 Nov 99 10:15:06 -0800
To: List-Managers @ GreatCircle . COM
References: <>
Reply-to: garyb @ fxt . com

Actually, a vetting database would be fairly easy, if the traffic  
level can be supported.  Here is the outline of one model, based on  
authentication/validation systems for VPNs and other systems.  This  
example is oriented around a 3rd party (think of them as equivalent  
to Verisign or Thawte - root certificate signers)

We use PGP as the basis.  A mail lister gets a new ID phrase from  
the root every day, for example, via a secure query.  This ID phrase  
is different for each list, and changes daily.  The lister decrypts  
the phrase using the root's public key, then recrypts it using its  
own private key and AOL's public key.  It inserts the phrase in each  
email going to AOL.  (It encrypts the phrase with other providers'  
public keys for those providers, duh.)

AOL picks up the mail, decrypts the key, and compares it to its own  
query to the root for that mail list's ID for the day.  If they  
match, the mail is legit and goes through unless AOL has some reason  
to block it.  AOL need not query more than a few times per day per  
list, as it can be cached for a certain time.

Thus, AOL knows that the mail is from the real list, and can follow  
user-defined policy as to whether to let it through or not, either  
globally or per user.  It need not know anything about the list,  
only that it's listed.  Also, this doesn't require AOL or the mail  
list to participate - only those who want to use this service need  
do so.

The entire system could be incorporated into list software, so the  
mail list managers have a relatively limited additional  
administrative burden.  All key management and phrase queries could  
be done via email as well, so no additional ports would be required.

There would be a once-per-year cost for the certificate (like  
secure servers) which might be a problem for small lists, unless  
it's per list server, not per list.  This could still work if the ID  
can be used for multiple lists, with the presumption that the list  
server would not forge its own lists.

Hey, I'd think this would be a good opportunity for someone to do -  
Thawte might even want to provide this service.  Hey I might even  
do it if folks are interested.  Would you pay $100 per year for  

Indexed By Date Previous: Re: AOL Situation Resolved
Next: Re: Listserver registry?
Indexed By Thread Previous: Re: AOL dropping mail
From: "Bernie Cosell" <>
Next: Re: AOL Situation Resolved, 2 (vetting)
From: "Ronald F. Guilmette" <>

Search Internet Search