From: Jack Nerad <jnerad(_at_)bellsouth(_dot_)net>
...
True. certs, keys and so forth can only reduce genuine forgery, but they
create a unique identity that can then be trusted by the community at
large or not.
Why can't the identities "jnerad(_at_)bellsouth(_dot_)net" or "bellsouth.net" be
trusted by the community at large today? I think the answer is that
"jnerad(_at_)bellsouth(_dot_)net" can be trusted, but "bellsouth.net" has too
much of the wrong kind of history. One might also worry that a spammer
could forge "jnerad(_at_)bellsouth(_dot_)net(_dot_)"
Even a spamhaus generated fifty million unique certs,
they still would not be trusted right off the bat. ...
Are you thinking of a system other than simply whitelisting senders
that you have determined to be trustworthy, not by their crypto certs,
but because they have good reputions, and with cryptography only
preventing forgery?
If that's the idea, then as has been suggested, you could tell your
correspondents to use PGP or SMIME and put their public keys on their
web pages so you could copy keys to your whitelist. No changes in
protocols, no new headers, no new or old public key infrastructure (PKI),
or much of anything else would be needed. At most you might want a
better user interface software such as MUAs to make signing easier
and perhaps integration of signature checking in MTAs to discard or
reject unread all unsigned mail.
This doesn't help the transition problem, unless you don't need to
receive mail from strangers not on your whitelist.
It would be good if those who think the transition problem is
insignificant for their favorite solutions should say how the transition
for their solution differs from the transition for other solutions.
Consider:
http://habeas.com/ started about August, 2002 or 6 months ago
http://www.camram.org/ ditto
http://www.bondedsender.com/ ditto judging from NetworkWorldFusion article
1. What is your estimate for the percent of Internet mail that is
now covered by those three solutions? My guess is that there are
between 2,000,000,000 and 10,000,000,000 msgs/day on the net, with
5 Bmsg/day being as nice round number. Do you think any of those
solutions have reached 1,000,000 msgs/day or 0.02% in the 6 months
they've been around? (I don't, with the possible exception of Habeas
and Topica, but which rumors make sound like something better forgotten.)
2. What percent of email do they need to cover before many people
would refuse unread any mail not covered by them and so have their
individual spam loads reduced? What fractions of the people with
mailboxes in the U.S., Western Hemisphere, and the world must refuse
all mail not covered by a solution before it affects spam in the
mailboxes of people using them?
3. Given how much mail they're covering after 0.5 years, how long until
they reach necessary recipient participation?
If you have a spam solution, what are the answers to those questions
for it, and why is does its answer #3 differ from the apparent answers
for those solutions of about 1000 years?
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg