ietf-asrg
[Top] [All Lists]

Re: [Asrg] Certs required to send mail

2003-03-25 09:12:03
From: "Jon Kyme" <jrk(_at_)merseymail(_dot_)com>

And if everybody were a nice person, we would not have this problem.

If certs were required to send mail, then we'd have big ISPs
distributing
CDROMs labelled "4000 free hours" and automatically issuing certs
along with user names and passwords.  There would be no change from
the current situation, except that the commercial CAs would have
another revenue stream.

The feasibility would hang on a CA issuing certs only subject to
strict T&C, taking responsibility for revoking in the case of demonstrated
violation of that T&C and for client software to correctly consult
revocation
lists.  The technology for this is all well-understood but there doesn't
seem to be a body in place offering this facility.  But I'm not proposing
such a system - that's for others with more expertise in this area. And
besides,
its a business problem rather than a technical one.

No, Dave's response was on target.  If ISPs would enforce strict T&C,
there would be no spam.  User names and passwords are required to send
spam, and ISPs could terminate accounts for spamming.  Expecting ISPs
to revoke certs for spam when they now refuse to termiante accounts
for spam makes no sense.

There is essentailly no spam that is not ultimately the responsibility
of an ISP that is trivial for spam targets with minimal technical
clues to identify.

To send spam, every spammer must identify itself to an ISP.  That ISP
knows every customer using its sevices so that it can bill its customers,
as well as detect bad behavior such as DoS attacks.  It takes time and
effort to sift RAIDUS or other logs to discover that the IP address
10.2.3.4 that sent spam at 10:01 GMT was in use by port 1234 on server
567 and that Joe Spammer had used a CHAP password to identify himself (or
his computer), but no rocket science is needed.  Adding certs to user
names and passwords does not affect what ISPs can and ought to do to stop
spam.

Similarly, every spammer's web pages are hosted by an ISP that could
enforce T&C's against spam.

This applies to open proxies.  Essentially all ISPs prohibit running
open proxies.  Spam whose original ISP is hidden by an open proxy
could be stopped by the second ISP enforcing its T&C against open
proxies.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg