I didn't understand that the idea was to have CAs revoke the certs of
ISPs when ISPs failed to revoke the certs or terminate the accounts
of spammers. However, that is even more implausible than expecting
ISPs to start terminating spammers. UUNet won't terminate its small
resellers that cater to Ralsky and friends. Why would Verisign revoke
UUnet's certs, merely because third parties complain to Verisign about
getting spam from UUNet's customers?
VeriSign could only revoke a certificate if either the user had obtained
the certificate fraudulently or had broken the terms of the contract.
This has happened in a number of cases. In one case two certificates
was obtained through fraud and were revoked. In a second case a
certificate was legitimately obtained by an individual who constructed
a malicious Active-X control.
It is not necessary however for the certificate to be revoked or for
the CA to provide the revocation data. In one model a third party
provides attribute certificates that state 'XYZ is a dirty no good
spammer'. In another they simply use OCSP to report status.
I'll be sending out a revised version of NoSpam that describes
some extended strategies.
ObDisclaimer: VeriSign has issued and pending patents that relate
to certain implementations of this technology.
Observation: We are in the business of selling certificates,
actually certificate management infrastructure services and
not patent squatting or even patent licensing so don't assume
apriori that licensing terms will be unacceptable.
Phill
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg