This is exactly what I was addressing: remailers only have to get themselves certified as remailers and then prove their certification to the destination server, not do the whole hashcash shtick for every message. (For example,
At 06:53 PM 12/13/97 -0600, Uhh...this is Joe [Randall Farmer] wrote: they
could publish their public key's hash signed by some anti-spam organization, then sign the hash of the server's challenge to prove that they are a real remailer, not an advanced spammer imitating one)
I find this concept to have problems. I don't know how many there are, but with 4,000+ US ISPs, all of the schools, corporations, etc, there must be at least 50,000 mailhosts that would have to accept authentication. This whitelist concept, that if I am "good" I get approved and certified smacks of things which I generally oppose. And who keeps the whitelist? CAUCE? Verisign? Time Magazine? The NSA? Microsoft? How much would it cost for each of the 50K mail hosts to become certified? This is an administrative nightmare. The current alternative to this certification list is the configuration files such as domains.banned, user.banned, etc. Currently remailers can send mail most anywhere. I suspect that if remailers had to get certified (say a RASCi rating of "remailer") most mail hosts would begin denying mail from remailers. I don't believe that mail servers need to be certified. -- Robert Costner Phone: (770) 512-8746 Electronic Frontiers Georgia mailto:pooh@efga.org http://www.efga.org/ run PGP 5.0 for my public key