On a regular basis I receive blog comments and suggestions on what magical technologies will put spam out of business. There are many valid techniques for stopping spam, but signing e-mails and e-mail senders is not one of them.
After my recent post on the impact of false positives, I received a comment from a reader who suggested that public key cryptography would eliminate the spam problem. The basic idea is that complex mathematics would guarantee knowledge of the originator of an e-mail, eliminate the anonymity of the sender, and unmask the spammer.
I have heard this suggestion several times before, and while it definitely sounds like a sexy solution to stopping spam, it is unworkable for several reasons.
Signing e-mails requires a technology known as "Public Key Cryptography". I am going to assume that most of you know what this is. An essential element to public key cryptography is an infrastructure component known as a "web of trust", or a connected network of individuals who guarantee the validity of a user's key within their local view of the community. Any pair of users on the network can then validate each other's public key by examining the chain of individuals that separates them in the web of trust.
(Yes, public key cryptography can be performed between two individuals without a full-blown web of trust, but it would not scale to incorporate every person on the planet.)
If this concept sounds familiar to those of you who have never heard of public key crypto, that is because it is also how individuals vet each other in our society. We trust those whom have been introduced to us by a trusted friend or family member. The act of exploring the set of those close to us to discover connections to new individuals and sharing our connections with our friends is so important to our society that we have created some of the most valuable properties on the Internet to codify the act. Facebook, MySpace, and LinkedIn did not become so popular because they introduced a new means of interaction; they only made a means of interaction that is essential to society far more efficient.
Here is the rub: if public key cryptography, which is a means of impressing an identity onto digital content, were able to stop spam, then there should be no spam on the massive webs of trust that are social networks. The reality is that spam inside social networks is a major problem. Most individuals will accept spammers as friends willingly, as the definitions of "trust" and "friend" have changed heavily. Spammers also attack the authentication mechanism for the social network, compromising the accounts of well-connected individuals with weak passwords using either dictionary attacks or post-compromise keyboard sniffing. There is no reason to assume that cryptographic webs of trust applied to the e-mail community would be treated any differently.
There are many technologies out there that reduce the spam problem, and there are a few more that can be introduced to clamp down further. Public key cryptography for signing e-mails and e-mail senders isn't one of them.