From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
...
The problem is when ISPs claim this. So they have a subscriber
who pays to get an INTERNET account and then finds that the ISP
is going to decide who she gets mail from. Oh it turns out that
planned parenthood is on the ISPs blacklist.
You wrote about C|NET, not ISPs. C|NET is not an ISP but an
advertiser, or at best a publisher.
Don't think such a thing is impossible. SPEWS recently listed
the whole of UUNET because a maintainer took a dislike to a
Web site they hosted. Several blacklists list the whole of China
and Korea.
Are you sure of your facts there? I don't recall hearing of SPEWS
listing all of UUNET's IP addresses.
...
How will Hotmail and Yahoo ensure that a new user is not a spammer?
They have pseudo turing tests for subscribers and they implement
rate limiting. You cannot send 100 emails a minute from a new
hotmail account. There are also limits on connections from the
same IP address.
So you're saying that Hotmail users could no longer send mail from
other ISPs using their Hotmail addresses as Reply-To, From, or Sender
header values or envelope Mail_From values? So you'd push them back
into the AOL BBS model and off the Internet? I hope that is impossible.
On the other hand, if Hotmail requires a credit card number, they can
detect Ralsky, or at least wreck the credit rating of the owner of the
credit card. However, they could to that today without
Verisign's "help."
They could or they could take advantage of the extreemly
reasonable prices of VeriSign payment services.
The credit card factor, whether PayPal, VeriSign, or some other
outfit is obviously irrelevant. So why did you mention Verisign?
The result of that would be to cram the Internet back into the old
AOL/Genie/Compuserv fancy BBS model.
You forget who you are talking to, I did more to destroy that
model than most people on this list.
No, you forget who you're talking to, and I'm not referring only
to myself. There are, or were the worst of the flood, readers who
I think did incomparably more than you to break open the BBS model.
I'm sorry to be so blunt about the Verisign nonsense, but
SHEESH--give us a break!
Don't deny yourself a tool out of spite.
If you believe that you can do just as well with self signed certs,
or raw keys in the DNS that is fine too.
My problems with commercial CAs have nothing to do with spite, but
with their business models. The prices of certs are orders of magnitude
too low to do the things that the customers of commercial CA vendors
are lead to expect they're buying. You can't verfy my identity for
a mere $150-$350, no matter how good your intentions, and so you (not
just Verisign) cannot issue a cert that really authenticates me.
I suspect a $350 price won't buy the liability insurance for errors
in issuing certs, and that is why Verisign says "here's a cert, but
we really don't know if it's any good so don't call us if it's a waste
of bits and CPU cycles that causes you to lose money or launch missles."
On the other hand, even $350 is barely below the price point for a
commercial cert. No user will spent $50 to buy a cert for a personal
mailbox, which is why no one has a Verisign personal cert. Cert
vendors simply cannot get the money to do honest authenticating because
cert buyers won't pay for it.
My problem with Verisign itself is not spite, but continuing lies and
gross misrepresentations. Your obviously completely bogus claim that
Verisign has had anything whatsoever to do with keeping credit card
numbers out of the hands of bad guys is classic Verisign self-serving
knowing misrepresentation. Perhaps you assumed no one around here
knows about DH or other means to get session confidentiality.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg