A problem applying to both kinds:
Even if we are far away from having a widely deployed
public key infrastructure, we should take care to not slam that
door closed. A content based spam filter would defeat the success
of a common PKI. Why?
On the contrary. Filters are the reason that PKI will become practical.
First premise: Filters do not work better than 95%
All the filters proposed thus far are based on technologies that are known
to have severe limitations. That includes the Bayesian filtering approach
for which some have been claiming ridiculous 99.5% success rates with no
failures.
Second Premise: False Positives Matter a LOT
A lot of interest in the JamSpam consortium comes from people who send out
lots of mail that does not get through. People like C|Net and relationsip
management companies that send out email from your bank or airline with
account status and special offers.
Proposal: Use Filters and Authentication together
Content filters should use authentication based approaches to whitelist
known good mail from AUTHORIZED sources. PKI allows the authorization to be
quite broad. I know that AOL now has rate limiting on outbound mail so I
will take any AUTHENTICATED email from AOL, Hotmail, Yahoo, etc.
PKI has been a success in the e-commerce space. I do not know of any case
where a credit card number was stolen from a communication over the wire. If
everyone used PKI to protect the credit card numbers in storage as well
there would not be problems with theft of cc databases.
PKI for email clients has not been a big success. This has partly been
because of the unfair advertising advantage that the FBI gave to PGP. It has
also been because there has been no infrastructure for discovery of
encryption keys and because the business model has been screwed up in the
consumer space.
I believe that I address these problems with XKMS which is a DNS linked PKI.
* The PGP/X.509 Mindshare war is over
People can use either scheme for their keying needs. I propose that
we unify the messaging standard as well so that standard email clients can
send and receive mail to/from PGP and/or S/MIME users.
* The public key discovery problem is solved
XKMS is DNS linked. So to find the XKMS service for example.com look
up the XKMS SRV record at example.com. Then do a locate on the result to get
the key.
* The fat client problem is solved
Any XKMS client can access the most sophisticated (i.e. complicated)
PKI that is in use. The complexity is managed at the XKMS service, not on
the client. So you can have full strength PKI accessible from Zaurus or your
pocketPC.
I think we could solve the marketing issues as well.
Phill
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg