Vernon Schryver wrote:
From: Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu
...
Running a CA is easy. Certifying that the users are who they say they
are is *HARD*.
Let's say the actual server, software, install, bandwidth, etc, costs $20K.
Let's say we've also decided to charge $5 per certificate.
Now you need an office where 4,000 people can come in and show ID to prove
they are themselves so you can create a certificate for them.
...
Say you do all of that. What keeps Ralsky from hiring people off the
street to go into the office, get a certificate, and give it to Ralsky
who uses it for the next 20 spews of spam?
Trust. Valdis mentioned the problems with a "web of trust" idea to be
significant bootstrapping. PKI alone doesn't do it, agreed. But with a
way to identify where the messages come from, it becomes possible to
trust the sources. With trust, all of a sudden you know which sources
are reliable. The ones you don't know are reliable can be dealt with as
you wish.
I have no idea how a trust system would be implemented with email. What
other arguments are there against the web of trust?
Authentication is not authorization. The only thing that certs, keys,
and so forth can do is reduce genuine forgery of sender information.
True. certs, keys and so forth can only reduce genuine forgery, but they
create a unique identity that can then be trusted by the community at
large or not. Even a spamhaus generated fifty million unique certs,
they still would not be trusted right off the bat. I'm not really sure
about the mathematics of networks of trust, but it seems reasonable to
assume that the spamhaus could create networks of trust that were
local. Making the trust stick to the network at large would be much
more difficult.
If I'm right that the reason that almost all spam with what some claim
is "forged" sender information involves free mail provider domains
from a few 100 domains instead the other 50,000,000 domains is that
it is not really "forged," then all of the cert-ing in the universe
will have no effect on spam. When you sign up for a Yahoo mailbox,
you'll simply get a cert in addition to a username and a password.
--
Jack Nerad
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg