From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
...
You cannot rely on certificates alone. Once people use certificates on a
widespread basis the spam senders are going to attempt to get hold of
certificates. This is expected.
The first line of defense is to have good authentication procedures. CAs who
perform authentication before a certificate is issued are going to provide a
higher bar for the spam-senders. As Jon demonstrated spam senders, in
particular garbage creators do not want to give a genuine address.
...
A second line of defense is the law, anyone who applies for a certificate on
the basis of false information has committed fraud in practially every
single jurisdiction where the law means anything.
...
If that could work, then we would not have a spam problem. Spammers
already must identify themselves to reputable ISPs with something that
has the relevant features of certificates, including laws against
fraud that are sometimes even enforced. Those things are credit card
numbers. In reality we have the spectacle of ISPs including Sprint
claiming they can't figure out how to deal with credit card fraud even
when a single spammer has used hundreds of stolen credit card numbers
and is known by name. We also have ISPs advertising "try us for 2
weeks; no credit card required" on central California radio stations
yesterday.
It makes no sense to expect ISPs to know their customers well enough
to issue certs that might reduce spam when they can't be bothered
to know their customers today to reject well known spammers.
If certs were required to send mail, then we'd have big ISPs distributing
CDROMs labelled "4000 free hours" and automatically issuing certs
along with user names and passwords. There would be no change from
the current situation, except that the commercial CAs would have
another revenue stream.
Any spam filtering you might do based on certs can be done better and
faster on IP addresses, unless you can white-list all of your incoming
mail because you don't want mail from strangers. If Ralski &co. could
not get new certs as often as required to keep sending, then they also
could not get new blocks of IP addreses. We know they've no trouble
getting either single dial-up addresses or fair sized blocks, and so
simple logic shows that they could get as many certs as they might need.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg