
All forms of signing email are generally solving the wrong problem - fomine3
https://utcc.utoronto.ca/~cks/space/blog/tech/SignedEmailWrongProblem
======
Sebb767
DKIM is not solving the wrong problem, DKIM is solving an underlying problem.

The suggestions to use reputation, accounts etc are still fine and good, but
step 0 is to check whether that guy on the other side is who he says he is -
and that's where DKIM comes in.

~~~
1vuio0pswjnm7
Yeah, but it doesn't check whether that guy on the other side is who he says
he is, it only checks whether that _domain_ on the other side is what it
appears to be (registered via ICANN-approved registrar to "that guy"). DKIM
relies on DNS. It checks on domains, not people. You have no reliable
assurance from DKIM of who is actually controlling that domain. It might not
be "that guy" but someone else. DNS is not without its vulnerablities
(including social engineering). Any security mechanism based on DNS is only as
"secure" as DNS, which isn't very.

~~~
irjustin
I mean you're technically not wrong, but how do you confirm ownership of an
identity?

At some point you have to "trust a system". Block Chain, Social Security ID,
Drivers License, Passport, even DNS are all susceptible to some form of attack
vector.

I could do a DNA test to verify you, provided I did one before.

> is only as "secure" as DNS, which isn't very

I'd argue DNS itself is quite secure. It has lots of issues, but it's so
widely used those issues are known and mitigated for. DNS as a system receives
an insane amount of attacks. There's just too much money involved for people
not to pay attention for attackers and defenders.

I will agree that _your_ DNS isn't secure. It's analogous to saying your Gmail
isn't secure, but Gmail itself is just fine.

~~~
ratiolat
Well, Estonia has id-card, which in addition to ordinary id card functionality
also provides PKI.

If I remember correctly, they rolled out PKI ~2005ish. It has done wonders for
them. [https://e-estonia.com/solutions/e-identity/id-
card/](https://e-estonia.com/solutions/e-identity/id-card/)
[https://en.wikipedia.org/wiki/Estonian_identity_card](https://en.wikipedia.org/wiki/Estonian_identity_card)

~~~
sleevi
Which the EU is debating making an equivalent European wide version mandatory,
and requiring websites/private companies adopt and use it (via SAML; instead
of username/passwords or things like OAuth/OpenID Connect). In this vision,
any online interaction that would require an identity would minimally be
required to accept your European identity, and may be prohibited (via GDPR or
DSA) from offering other forms of sign-in.

Read the Roadmap at [https://ec.europa.eu/info/law/better-regulation/have-
your-sa...](https://ec.europa.eu/info/law/better-regulation/have-your-
say/initiatives/12528-European-Digital-Identity-EUid-) and comment on the
Public Consultation if you have feelings about that.

Explicitly part of the goal is either a pan-European ID card or requiring
every Member State to adopt one. Currently, MS aren’t required to. When the UK
was in the EU, the idea of a digital ID that could be used by the government
to track all of your activities online was... not popular. However, despite
Brexit, the idea is being reintroduced, this time to “fight coronavirus”.
[https://www.bbc.com/news/uk-politics-54010432](https://www.bbc.com/news/uk-
politics-54010432)

------
spacedcowboy
I don’t know about signing, but my email domain (my surname.net) is now 30 or
so years old. It gets^w got a lot of spam...

A decade or so ago, I set up a catch-all account so <anything>@mydomain.net is
redirected to an isp-account that I have as one of my email identities, In
this case I used <account>@mac.com. It’s basically just a front-line imap
repository, stuff I want to keep will move off it.

Whenever I need to supply an email to an online site, I use <company
name>@mydomain.net. The only time this hasn’t worked is with Samsung, who
won’t let you sign up as ‘samsung@...’, generally it’s ok though.

There is another rule on the mail server, send-to-trash. This accepts all
email and just bins it. I can move <anything>@mydomain to this rule at the
click of a button in a second or two on with a web-interface. I do this for:

\- unsolicited email sent to a random “name” at my address, this is actually
fairly rare now that most of the obvious ones are gone \- when the mail
content doesn’t match the <company name> part, ie: where the address has been
sold to an email-list. \- when I want to expire the email address. Sometimes
this is temporary, and I have an address I want to keep, but it’s current;y
being spammed. Making the server send reject messages For a while usually
helps. Usually.

Using this, I’ve managed to keep the same email domain since college some 30
years ago actually useable and useful. YMMV :)

~~~
Ayesh
I do this for about 10 years now too! It's very convenient to "expire" the
email addresses that are sold off.

Another thing I do is to use a spam@domain.com email when an annoying site
tries to force me to login. All emails to this spam email address is sent to
trash with a filtering rule, and I manually open my trash to click the
verification link.

With catch all emails, you need a string "... -all" SPF to make others reject
bounce spam messages.

------
kwhitefoot
> It's possible that email clients could learn some lessons from this, for
> example by splitting your inbox into 'people and places you've interacted
> with before' and 'new contacts from strange people'.

That's how I have Thunderbird set up. I have a rule that puts mail from anyone
not in my contacts list into a folder called Unrecognized Sender.

------
AdamJacobMuller
S/MIME is excellent.

I know its currently more suitable for an organization than individuals, but,
I think with a bit of glue it would work fantastically at internet-scale.

~~~
bawolff
What's your proposed solution to the PKI-is-hard if your not an org problem?

~~~
AdamJacobMuller
LetsEncrypt starts signing email certs. That part is easy.

~~~
tialaramex
ISRG (the charity behind Let's Encrypt) has been pretty clear in the past that
they aren't interested in doing that. Do you have some particular reason
beyond wishful thinking to believe that will change?

If you want to build a CA that issues S/MIME certs you can already do that. If
you want to leverage ACME you can even do that (using
[https://datatracker.ietf.org/doc/draft-ietf-acme-email-
smime...](https://datatracker.ietf.org/doc/draft-ietf-acme-email-smime/) for
example).

Perhaps you can persuade S/MIME client implementations that your certificates
are universally trustworthy, and then you've got the makings of a PKI for
S/MIME. But I would not hold my breath.

~~~
AdamJacobMuller
Sure, so, setup your own email cert issuing ACME compliant CA. Still easy.

~~~
tialaramex
You're the one who wants this, so it's you that will need to set up a
Certificate Authority and then get it trusted everywhere for S/MIME. I
genuinely wish you good luck with that.

------
paxys
There are two (well, lots more than two) different problems with email. DKMS
solves spoofing. That isn't a more or less "wrong" problem than spam. The
latter just needs a different solution (and Google etc. have become pretty
good at it).

------
mrjin
The author obviously has no idea why email signing are there. And what he was
proposing, a authorizing system, or white-list system has been there for quite
a while but why it is not enabled by default? It creates more problems then
the problems it resolves. Just imagine how it going to work if you need to
send a legit email to someone for the first time. If you are going to need
authorization to do it, How do you get that required authorization? By calling
the recipient or send them a letter so that they can add you to the list? Then
what the point to send email in the first place?

~~~
dgellow
I believe that Hey does something like this:

1\. A stranger send you an email

2\. Hey asks you if you want to whitelist the sender or not

3\. If rejected, you won’t be bothered anymore by any of their emails

4\. Otherwise you just get their email moving forward and can decide to reject
them later if necessary

[https://hey.com/features/the-screener/](https://hey.com/features/the-
screener/)

~~~
zucker42
I don't understood how this is revolution. Doesn't hey just do what any email
account can do with filters, but wrap it in a nice UI?

~~~
dgellow
Obligatory link to Dropbox’s Show HN comment:
[https://news.ycombinator.com/item?id=9224](https://news.ycombinator.com/item?id=9224)

~~~
zucker42
Yeah I don't think it's not useful, just not revolutionary. Gmail's spam
filtering is already pretty good.

~~~
dgellow
It’s a whitelist of senders as far as I understand, not a spam filter. That
results in spam being ignored but for other reasons that what a spam filter
would do

------
bawolff
Pretty unconvinced that (the lack of) revokable authorization is the problem
with email. But for the sake of argument, lets say it was.

DKIM+whitelist solves that problem, so dkim would still be solving the right
problem.

------
m12k
Another problem with email is that it's your responsibility to keep your
contacts list up-to-date when people change their email address. By comparison
Facebook doesn't have that problem - for example organising a high school
reunion is much more likely to succeed if you contact people via Facebook than
via email. I really hope email (or its successor) can copy more of the
benefits that currently draw users into those walled gardens.

~~~
emersion
Facebook's strategy to achieve this is to disallow people from having two
different accounts. Things are different on e.g. Twitter where it's common to
have two accounts for different usage (like email).

Do you suggest disallowing people from having two different email addresses?

~~~
m12k
No, I'm suggesting that once I've authorized someone to be able to contact me,
switching to a new email address should not break that.

------
GnarfGnarf
I've been using SpamArrest for about ten years, and I'm very happy with it.

I always whitelist in advance any person or domain I expect to hear from.
SpamArrest gives me a chance to hear from legitimate strangers. If a sender
refuses to reply to the challenge email, then what (s)he had to say couldn't
be that important.

------
teddyh
Here we go again.

I suggest that everyone in the comments with a pet idea read this:
[https://craphound.com/spamsolutions.txt](https://craphound.com/spamsolutions.txt)

~~~
natcombs
What new pet idea did the article suggest? I must have missed it

~~~
teddyh
I meant the people here in the comments with ideas, not the article. Edited to
clarify.

------
crispyporkbites
DKIM works well for what it does. Assuming that what the author describes as
“revocable authorization” is a desirable feature (I don’t really get why a
user wouldn’t just filter them with a block list or white list approach, but
whatever) - how is this possible without a centralised provider?

If it’s only possible with a centralised entity like Twitter, it’s not going
to scale to last centuries like email will.

~~~
em-bee
because current filter tools are not specific enough or easy enough to use for
that purpose. i basically only got the option to mark something as spam and
let the algorithm figure out why.

i'd like to sort email by these categories:

signed emails with a known/whitelisted key.

signed emails with a known/blacklisted key

signed emails with an unknown key.

unsigned emails with a known/whitelisted email address

unsigned emails with a known/blacklisted email address

unsigned emails with an unknown address.

and finally emails with obviously fake addresses.

whitelisted keys go to my inbox. those will be spam free.

blacklisted keys are blocked/bounced/sent to spam.

new keys go into a new contacts folder with a spam rating based on content.
then i walk through that folder and accept or block keys.

for unsigned emails the same is done based on the address.

whitelisted addresses get a spam rating in a second inbox.

blacklisted addresses get blocked and unknown addresses get checked manually.

unknown keys or addresses can further be separated into: received only one
email from this address or multiple emails.

when i reply to an email the key or address gets whitelisted automatically.

------
upofadown
All you have to do is to ignore email that is signed by entities you don't
know and/or don't like. It is as simple as that. The mystery is why people
accept anonymous email at all.

~~~
superkuh
As an independent email server operator for almost a decade I can tell you the
big three email providers _are_ boiling that frog.

~~~
1vuio0pswjnm7
If someone were going to register a domain to use for e-mail, what would you
recommend? Does the name chosen or TLD make a difference or is IP address the
sole determinant of "reputation"? I imagine the situation is like with search,
the filtering algorithms used are kept secret, probably because they are
biased toward protecting or improving the company's revenues.

~~~
lioeters
Both the registered domain and shared/dedicated IP address are factors in
determining email reputation. For example, see:

[https://www.mailgun.com/blog/domain-ip-reputation-gmail-
care...](https://www.mailgun.com/blog/domain-ip-reputation-gmail-care-more-
about/)

I've never heard about TLD being a factor, but who knows? It's possible.

------
xapata
Easy solution: enable a configurable monetary barrier. People who want notes
from strangers can set it low, people who don't can set the price higher.

Hey, Basecamp, can you make that feature for me?

~~~
aeternum
Interestingly, this is where the proof-of-work idea for Bitcoin likely came
from (hashcash). Basically prove you've done X amount of CPU work in order to
send me an e-mail.

~~~
xapata
Yeah, but I don't want you to waste electricity. Just send me the money
instead of the utility company.

