From: Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu
...
Running a CA is easy. Certifying that the users are who they say they
are is *HARD*.
Let's say the actual server, software, install, bandwidth, etc, costs $20K.
Let's say we've also decided to charge $5 per certificate.
Now you need an office where 4,000 people can come in and show ID to prove
they are themselves so you can create a certificate for them.
...
Say you do all of that. What keeps Ralsky from hiring people off the
street to go into the office, get a certificate, and give it to Ralsky
who uses it for the next 20 spews of spam?
Authentication is not authorization. The only thing that certs, keys,
and so forth can do is reduce genuine forgery of sender information.
If I'm right that the reason that almost all spam with what some claim
is "forged" sender information involves free mail provider domains
from a few 100 domains instead the other 50,000,000 domains is that
it is not really "forged," then all of the cert-ing in the universe
will have no effect on spam. When you sign up for a Yahoo mailbox,
you'll simply get a cert in addition to a username and a password.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg