ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Certs required to send mail

2003-03-26 02:19:17
from [Jon Kyme] [Permanent Link] 
What is the practical difference between the BGP feed of the RBL+ 
and any certifcate system?  Think of an IP address as a certificate.
The IP address of the SMTP client is unique and practically unforgable.
[ISP name here] risks being cut off by not dealing with its spammers
and being listed in the RBL.
(The BGP feed of the RBL+ causes listed outfits to disappear from
the Internet as seen by subscribers.)

Yes, I know the RBL has not ended spam.  The reasons are not
mysterious and apply to all of the propsed certificate or other
authentication schemes.




Of course. I have said that a cert based scheme might be effectively
equivalent to a whitelist (-ve blacklist). It might provide a revenue to
support the maintainence/verification/reliability/litigation exposure
problems inherent in listing-type schemes.



It's discouraging that people are still saying that authentication
would fix spam years after common MUAs (e.g. Netscape) can send and
check signatures and/or keys and SMTP-AUTH, SUBMIT, and SMTP-TLS are
universally available.



I'm sorry, who said that authentication (on it's own) would "fix spam"?
I certainly didn't.  I hope I'm not being shot down for something I
didn't say (again).

As has been said (probably by you): Authentication is not the same as
Authorisation. A cert only establishes (if you think about it) the
existence of a relationship between 2 entities at some time in the past.
The "meaning" of this fact depends on the context it's interpreted in.

The observation that a cert-based scheme to establish *credentials* may
fail
(has failed) doesn't reveal some previously unknown weakness of certs 
- certs don't have that strength of themselves.
It's a weakness of the context in which they're used. 

It's a non sequitur to assert that the lack of a strength in the
cert must result in a lack of that strength in a system employing them.

The strength of "accreditation" is a property of an accreditation system,
not of the tokens used to express accreditation.

I'm not inclined to continue this discussion on this list - I'm sure it's
boring most participants

 




  






--
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Certs required to send mail, william
Next by Date:  Re: RE: [Asrg] Certs required to send mail, Jon Kyme
Previous by Thread:  Re: [Asrg] Certs required to send mail, Brad Templeton
Next by Thread:  RE: [Asrg] Certs required to send mail, Hallam-Baker, Phillip
Indexes:  [Date] [Thread] [Top] [All Lists]