ietf-asrg
[Top] [All Lists]

Re: [Asrg] Proven solution for authenticating messages

2003-03-04 12:53:28
On Tue, Mar 04, 2003 at 09:01:00PM +0530, Prasenjeet Dutta wrote:
Problem here: what constitutes 'accountable' [...]
This would require a trusted entity which does the whole confirmation
and managment, some kind of 'consent clearinghouse'.

I agree, and this is the biggest challenge in this proposal. We 
already have a clutch of CAs in place, but I think the for-profit 
approach for e-mail CAs/Consent 'clearinghouses' will not work very 

There are many different ways to be accountable, and only one global
test -- does the system of accountability work well enough to keep the
spam volume below an acceptable level.

If mail is signed with a certificate from a trusted CA that has met
this test, it inherits the trust of that CA.  If mail comes from
a country that gives the death penalty to spammers and enforces it,
that's fine too.   However, the goal is to have as many was as
people can think up to be accountable.

The flaw as you present it, is that there is a natural economy of
scale, perhaps almost a natural monopoly, in having one list of
the addresses which can be held accountable for abuse.   That isn't
a hard and fast requirement -- each target using such a throttling
gateway could use a different list, or draw from a different set
of criteria.

That's even easy to implement.  The site gets to control their
MX to a server that follows the rules they like.  If a trusted site
connects there by accident, worst case is they are refused and thus
connect to the real server, which is next in the MX line.

The one natural monopoly here is in aggregating traffic volume.  The
throttles counting volume of mail coming from networks do need to
join in a collective to share the volume data, otherwise you can't
detect bulk mail.   You could have a small number of these aggregations
of volume data, but not too many.   However, nobody has to "own" this
aggregation, that just needs a protocol by which the data are shared,
and some trust system to only allow trusted people to contribute
data.

However, the main point of this philosophy is that this is the way
almost all rules in society are actually enforced.  We don't put
up battlements around our houses to protect them any more.  We
don't put police on every corner.  All we care about is that if
somebody does break the rules, they can be held accountable.  That is
a deterrent to those who would break the rules.

It's only in the most extreme cases that society works any other way,
and society is usually poorer when it does.   Airports are a modern
example.  In order to stop, rather than deter hijacking, we now
put up with flying becoming a horrendus and privacy-stripping
experience.

Spam, fortunately, isn't that bad.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg