From: Paul Vixie
unsolicited, uncoordinated communication is wonderful, and i miss it. let's
build a universal electronic trust hairball so that we can get it back again.
right now my choice is "deal with yahoo's endless unconfirmed spew" or "not
be able to join any of the mailing lists my neighbors have set up there" and
i would like a finer grained selection than that.
What does a transitive/secondary/whatever trust protocol have to do
with that? Yahoo! is already the outfit bonding/hooking/whatever all
of that mail with its IP addresses. Changing the label on what they
do to "transitive trust" will not by itself affect their policies and
practices. As long as Yahoo! chooses to run mailing lists and domain
names the way they do, no matter how many tokens of trust or crypto
certs they slather on, their mail will remain what it is.
If Yahoo! would impose real penalities for abuse of its current
certificates of trust, the IP addresses of its mail systems, or do
anything else that really ensures that those who sign up for new domains
or new mailing lists are trustworthy, then there would also be no need
for newfangled tokens or certificates. If Yahoo! would not always
respond to reports of spam involving its domains with "It didn't come
from us so it's not our problem" even with it did come from one of its
IP addresses, then Yahoo!'s IP addresses could be certificates saying
"This is not spam" as trustworthy as sa.vix.com [18.104.22.168].
I'm not arguing for IP addresses as security tokens. I'm only pointing
out that issuing new identity cards to the usual suspects won't change
anything. No IETF protocol can synthesize trust for organizations
that are not trustworthy. Service providers that host spammers and
expect spam targets to deal with abuse will never be trustworthy. Most
of the TBytes/day of spam comes from such providers, whether cable
modem outfits that turn blind eyes on "owned" boxes, free providers
whose penalty for abuse consists of making the spammer sign up for a
new drop box, or tier 1 providers that lie about the impossibility of
determining which of their resellers is hosting a spammer.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com