Lauren Weinstein, founder of People for Internet Responsibility, has come out with a new spam solution at http://www.pfir.org/tripoli-overview. According to this proposal, the Internet email architecture would be revamped. Each piece of mail would include a PIT, a Payload Identity Token, emphasis on Identity. This would be a token certifying that you were an Authorized Email User as judged by the authorities. Based on your PIT, the receiving email software could decide to reject your email. It is anticipated that all Pits considered acceptable by the vast majority of all Tripoli-compliant software user would be digitally signed by one or more designated, trustworthy, third-pary authorities who would be delegated the power to certify the validity of identity and other relevant information within Pits. In other words, here comes Verisign again. It is anticipated that in most cases, in order for the sender of an e-mail message to become initially certified by a Pit Certification Authority (PCA), the sender would need to first formally accept Terms of Service (ToS) that may well prohibit the sending of spam, and equally importantly, would authorize the certification authority to "downgrade" the sender's authentication certification in the case of spam or other ToS violations. Thus you have to be politically acceptable to the Powers That Be in order to receive your license to email, aka your PIT. And be careful what you say or your PIT will be downgraded. Unfortunately he doesn't discuss various crypto protocol issues: If the PIT is just a datum, what keeps someone from stealing your PIT and spams with it? If the PIT is a cert on a key, what do you sign? The message? What if it gets munged in transit, as messages do? You've just lost most of your email reliability. Or maybe you sign the current date/time? Then delayed mail is dead mail. Or maybe you respond to a challenge and sign that? That won't work if relays are involved, because they can't sign for you. Spam is a problem, but it's no excuse to add more centralized administrative control to the Internet. Far better to go with a decentralized solution like camram.sourceforge.net, basically a matter of looking for hashcash in the mail headers. This raises the cost to spammers without significantly impacting normal users.