Yahoo 'Domain Keys'

Yahoo this week announced they're working on an open-source software that uses public key cryptography to digitally sign e-mail and verify its origins. Dubbed "DomainKeys", the project is getting some air-time - the launch date is vague, sometime in 2004, and the software will be compatible with Sendmail, qmail and postfix. E-mail passing through blessed servers will be tagged with a cryptographic signature as it passes through the mail server. Email clients or en-route mail servers can then check the e-mail's header, and compare it to a public key shared via DNS zonefiles to confirm authenticity, presumably dropping the message if something is wrong.
Brad Garlinghouse, VP of communication products at Yahoo, says the project is part of a larger push. He argues that once "we actually have credibility and confidence that the E-mail that said it came from Yahoo.com actually did come from Yahoo.com, we then can use other intelligence and filters ... so that an individual user can, with confidence and effectiveness, determine what actually ends up in his or her in-box." "What we're proposing here is to re-engineer the way the internet works with regard to the authentication of e-mail," said Garlinghouse to Reuters."So What?" came the response from technology websites and bloggers in unison for much of the week. Cryptonomicon wonders if there's more meat to the idea hidden somewhere in the wings: "By itself, this will do nothing to authenticate users or cut down on spam. It will simply increase the average entropy of messages being transmitted across the Internet.".I'm not sure about the criticism that this initiative will do "nothing" to reduce spam: once you have a system for tagging messages and checking authenticity upon receipt, the next step (blessed lists of domains allowed to send one email) becomes possible. The worldwide email system slowly morphs to become like a huge VPN, with checkpoints to get on. Even though hijacked PCs could still be used to inject spam ostensibly under the identity of the hijacked user, such a standard would force ALL such spam to be directed into the network this way. Moreover, the spammers would have to use on-ramps from blessed servers from big domain names, rather than "somebody's hacked server in china". The isolation of spam in such a way, if such a key system was widely adopted, would encourage providers to do more to shut-out compromised subscribers PCs.Google's Shuman Ghosemajumder, wonders that if the idea is to create momentum for an identity verification standard, why does Yahoo seem to be traveling the road alone up to this point? Yahoo programmer (though not working on the DomainKeys project) Jeremy Zawodny agrees, noting via his blog that "it seems a lot more like another lone cowboy going after the bandits.".Yahoo themselves used the King-Maker remark in the title of this news story, in a clear reference to possible future initiatives by a certain large company to lay down possibly more tightly held infrastructure based around passport (word © 2003 microsoft), that could one day lead to everyone paying a penny to an MS authentication network if they wish to send a message. By making this thing open-source from the start, Yahoo escapes criticism that they may be trying to own it all.But without Yahoo's recently announced anti-spam partners AOL and MSN on board along for the ride, does the authentication system stand a chance? I think they deserve to be heard out.