ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Certs required to send mail

2003-03-25 11:20:25
from [Vernon Schryver] [Permanent Link] 
From: "Jon Kyme" <jrk(_at_)merseymail(_dot_)com>



..
Well, a better question is why would [ISP name here] buy a certificate
from [CA name here]
with which to sign it's subscribers mail certs (and risk having it revoked
if
they don't revoke subscribers) ?

A. Because (many users at) Hotmail and AOL don't accept mail without it.
(in my fantasy)

See? Following the money. Also (as I've said) a "business" rather
than a "technical" problem. I'm not qualified to judge the business case 
for this - you?
..


You are qualified to judge the cases that matter to us.  You and I
might not be able to say much about the revenue stream that Verisign
is after, but we can certainly judge the business case for AOL and
Hotmail or AOL and Hotmail users refusing mail from [ISP name here]
because of a lack of a certificate.  We can't know dollar figures,
but we can predict the conclusions of the people in charge from
what they've already decided in essentially identical cases.

If certificates could do as you've proposed, then AOL, Hotmail, and/or
their users could just reject by the IP address or domain name of [ISP
name here] in envelope, header, or body (e.g. URLs).  If there could
be any risk to the cert of [ISP name here], then there would be the
same risk to it's IP address and domain name.

What is the practical difference between the BGP feed of the RBL+ 
and any certifcate system?  Think of an IP address as a certificate.
The IP address of the SMTP client is unique and practically unforgable.
[ISP name here] risks being cut off by not dealing with its spammers
and being listed in the RBL.
(The BGP feed of the RBL+ causes listed outfits to disappear from
the Internet as seen by subscribers.)

Yes, I know the RBL has not ended spam.  The reasons are not
mysterious and apply to all of the propsed certificate or other
authentication schemes.

It's discouraging that people are still saying that authentication
would fix spam years after common MUAs (e.g. Netscape) can send and
check signatures and/or keys and SMTP-AUTH, SUBMIT, and SMTP-TLS are
universally available.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Asrg] Certs required to send mail, Hallam-Baker, Phillip
Next by Date:  Re: [Asrg] Requirements for gathering statistics, Alan DeKok
Previous by Thread:  Re: [Asrg] Certs required to send mail, Brad Templeton
Next by Thread:  Re: [Asrg] Certs required to send mail, Valdis . Kletnieks
Indexes:  [Date] [Thread] [Top] [All Lists]