Paul's Comments

I spoke earlier about paperwork being mailed and how the Post Office talking about the "low low price" of Priority Mail flat-rate envelopes, where a 30 page document can be mailed for $1.38 across the country vs. the "low low" price for Priority Mail of $4.95.

Why we still mail documents makes very little sense. I've come to realize it's basically inertia. I have copies of my signature scanned into the computer, when I have to e-mail a document image I use that. With one exception almost anything could be done via PDFs and scanned documents as long as there was a means to include a signature such as pasting an image of it on it. The only thing you have a problem with are documents that need authentication, e.g. notarized documents (or potentially ones requiring Medallion guarantee, which is a higher standard than mere notarization; a bank employee has to guarantee the signature is valid. That's used for things like stock certificates and so forth.)

This is where electronic notarization is working to find a way to solve that problem so that documents in a computer can be "signed". What we have to realize is that signing documents is intended to provide two things; authentication and non-repudiation. The signature itself is done to authenticate the party who signed it. A second party witnessing a signature such as a notary, is to provide non-repudiation, i.e. you can't claim you didn't sign it when the notary countersigns what you signed.

Electronic "keys" in Public Key Signature systems (PKS) attempt to provide these, because you have a private key and a public key; you use your private key to mark the document with a hash (a mathematical summary of the contents), anyone else uses your public key against the hash to confirm it's valid; supposedly you can't generate the hash unless your private key made it. If your private key hasn't been compromised, obviously you must have done it.

One way to authenticate a transaction where two parties know each other is to create a hash with my private key, then hash that with your public key. If your private key hasn't been compromised, nobody else can create the same hash, then you know it's directed to you, and if the hash is correct when using my public key, nobody else could have written the document. It also means the document could not have been altered in transit. It provides authentication of both the sender and the content, and non-repudiation of the source of the document.

If we could get good, working PKS schemes properly operational it could be used to stop a lot of botnet generated spam, because spammers couldn't generate mail to people on my contact list if they infected my computer and stole my list because either they wouldn't have my private key and might not have your public key, so they couldn't impersonate me by sending a signed message to you. The hashes wouldn't match and you would know it was forged.

If you aren't allowed to send mail from your PC directly and have to use a standard mail server on your ISP, because places required the mail transfer agents of each domain to sign their mail, it eliminates botnet-transmitted spam, since the botnets sending mail wouldn't have the ability to send mail directly, nor could they impersonate others because they don't have the key to sign the documents. This would then eliminate spam from all but regular ISP to ISP e-mail. So then, if ISPs throttled customers who don't normally run mailing lists, it would slow down the amount of spam they could generate.

It might just help the problem. If messages had to be signed, either by the sender, or the ISP, or both, someone would have to come out from hiding. You could still send mail anonymously or pseudononymously but you couldn't do it in bulk, which is where the money is in sending out spam. No bulk, no profit.