On Tue, 16 Mar 2004, Dr. Jeffrey Race wrote:
On Mon, 15 Mar 2004 18:12:22 -0800, Ed Gerck wrote:
BTW, how can we talk about "actions that have consequences" in terms of a
technical solution that the IETF can pursue?
The whole point is there are NO TECHNICAL SOLUTIONS and never will be.
Correct, and I gave an explanation for this in inforamtion theory.
(There are some technical aspects to improving traceability, however.)
The traceability is about as good as it will get. If you have an IP
address and a time, that is all you need, and like a phone number, all you
might hope to get. While an open proxy can hide the true IP of the
abuser, you still get the IP of the open proxy. Likewise, if the dialup
account is stolen, you may get the IP address assigned to users of the
dialup gateway, which also isn't the culprit.
Even cryptographic methods start by having ISP's issues certificates. The
certificates, like other accounts might be thought of as disposable. Or
they might be stolen.
Authentication is not a solution to spam.
As you might recall, after the east coast power outage, it was suspected
that the outage might have been related to a virus. While it turned out
not to be, it didn't take long for the virus author to be tracked down by
law enforcement. There is nothing wrong with the current traceability.
What anti-spammers want is to have access to private information. This
will not happen without proper legal procedures. CAN-SPAM explicitly
permits information to be obtained by subpoena, but basically, this was
all obtainable before, as AOL and many others have demonstrated.
IETF would not apply the consequences; the victims would apply the
(behavioral) consequences using established guidelines, employing
technical measures already established in RFCs.
IETF and other standards bodies can bless agreed procedures for using
the existing technical steps in new behavioral ways.
There are two reasons this is crucial:
1) Courts often, perhaps usually, defer to declared norms of industry
standards bodies, in establishing reasonableness of disputed
behavior. We can be decisive in establishing these norms. The
courts can't easily act to use the COMPLETELY ADEQUATE EXISTING
LAWS in part because of this lacuna.
Given that you seem to think open relays are bad (from you proposal), and
since the only time I've ever heard such a claim involved open relays, I'm
guessing that's what you mean.
Having litigated the issue--it was so frivolous that it didn't get to a
filing but there were lawyers involved, I can report to you that the
reasonableness of running open relays in particular has nothing to do with
technical standards. The central issue is that there a genuine reasons to
provide unauthenticated or post-authenticated relay services outside one's
assigned IP address space, and secondly, the claims that open relays are
somehow associated with spam or provide some benefit to spammers doesn't
hold up to legal scrutiny. Open relays are not the same as anonymous
relays. Open relay use doesn't in any way impede investigation of spam.
Nor does open relay use impede spam blocking.
There are two types of people who speak against open relays: The first
type are misled. They have very little idea of what an open relay is or
why they would be used. They've just been told that open relays are bad,
and have come to believe this fervently themselves. It is an article of
faith, and not of logic. The second type abuses them. Genuine spammers
of the sort that would be subject to the CAN-SPAM act do not abuse open
relays. Only radical anti-spammers search for, and abuse open relays.
2) Normative documents, and personal leadership, convert a group or a
mob into an "emergent structure" (say a business firm, a dance
company, a charitable organization, a military unit, a religious
order, a teen gang) in which the norms absolutely bind the behavior
of the participants, even to death.
I say, in a completely non-deprecating way, that these points from law
and sociology may not be apparent to engineers (or in fact to anyone else
who is not an attorney or a sociologist) but they are completely true
and completely binding on human behavior.
The consequences are not
technical. In addition, they would need to be arbitrated and we know how
long, ineffective and expensive that can be.
No arbitration needed. Please re-read the proposal.
My proposal (which received input from many people) is basically just
common sense. That's what we need now. The answers are in. The
proof is in. Let's do it. Now.
Actually, common sense would be that anytime you interfere with someone's
rights, there will be legal procedures involved. But this is another
weakness in the cherished assumptions of the radical anti-spammers. They
seem to think that they are the only people with rights.