At 03:38 PM 5/7/2002 -0400, Keith Moore wrote:
> In other words, I don't think that forgery problems can be solved until
> the solutions for them are mandatory.
encryption-based authentication is resistant to forgery. anything that
requires nothing more than administrative conformance on a global scale is
simply doomed; forgery isn't just easy, it's trivial.
I'm not sure whether it's necessary that the solutions be mandatory,
or whether it's sufficient that there be some incentives to using them.
mandatory simply won't work. there is no global authority agency to
enforce mandatory anything. it's participant incentives or it's nothing.
for instance, if major ISPs processed authenticated mail faster than
non-authenticated mail,
ISPs have their own incentives. They care about complaints from their
customers. They do not care about much more. And as noted, spammers do
not care about delays.
It is mail originators and recipients who are the "participants" that must
press for the mechanisms.
this would provide some incentive for sites
to authenticate.
serious businesses are easy. it is the miscreants who are the problem.
the other trick is building an infrastructure that allows authenticated
mail to be verified and traced to the source, and one which facilitates
quick reporting and suppression of sources of abusive mail.
as long as it has incremental deployment and use, and incremental value,
then maybe it is worth considering.
d/
----------
Dave Crocker <mailto:dcrocker(_at_)brandenburg(_dot_)com>
Brandenburg InternetWorking <http://www.brandenburg.com>
tel +1.408.246.8253; fax +1.408.850.1850