From: "Eric S. Imsand" <eimsandasrg(_at_)charter(_dot_)net>
...
I agree and acknowledge the fact that no one will voluntarily assume any
liability... to do so would undoubtedly place anyone's employment in
jeopardy. It's my assertion that liability (in some form) will have to
be forced on everyone. I realize that one goal of this group is to find
a solution that will be accepted by the greater Internet community.
Forcing liability down people's throats is a good way to get an idea
killed off... unless the potential "pay off" is great enough that they
take the risk. In this case, relieving the burden that spam places on a
large network may be a great enough prize that people are willing to
accept the imposed liability.
The trouble with that reasoning is that:
- the technical costs of dealing with spam are trivial per user except
in rare cases. All email is on the order of 5% or 10% of HTTP traffic.
Thus, the CPU cycles, disk space, and bandwidth are insignificant
compared to other services that are considered too cheap too meter.
- the non-technical costs of spam are significant, but like the
non-technical costs of HTTP. Wasted employee time (or your own) is
hard to value in dollars. However, time wasted on spam is being
controlled by filters. My mailbox receives less spam today than it
did years ago, but 20 or 50 times as much is sent toward it.
- the smallest liablity for sending spam would be enormous. Paying
$25 to small fraction of the spam targets of a single use of a
50,000,000 address CDROM would bankrupt any but a large business.
The existing anti-spam laws have shown $25 is too small to motivate
spam targets. Even the $500/$1500 cost of a junk fax imposed by
the TCPA is a fraction of the cost of going to court. If you file
in a local small claims court and collect and you value your time
at much more than minimum wage, you'll lose money. What business
would consider assuming a potential liability of $500 for each of
a few million spam targets?
- the larger the network, the larger liability. By the time you are
talking about a network large enough for the technical costs of
spam to be significant, the potential liability is too large
for my calculator to handle.
- your pay off from the liability comes from others assuming it. You
cannot benefit by promising to pay for your spam unless you are
already widely blacklist, and even then you won't assume a significant
liability. Why are the only major outfits we've heard of signing
up with Habeas the widely blacklisted Topica and Harris? How much
liability have they assumed?
You might fix all of that a law that caps the liability, is enforced
by state attorneys general or the FTC, and so forth. (Never mind how
to pass a law, motivate attorneys general to care, or the many other
problems with laws.) Such a law would not need cryptographic proofs
of identity any more than they have been needed by the FCC against
the junk faxers. Just as in TCPA actions, you can either use the
sending telephone number/IP address or the name, address, or telephone
number advertised in a junk fax or spam to collect.
Cryptographic authentication can do nothing about spam. It's only
potential is to provide a new revenue stream to struggling commercial
PKI vendors and some interesting and profitable work for programmers
like many of us here including me.
....
I sometimes feel guilty about repeating all of this stuff to each new
defense of authentication as The Cure for Spam. I rationalize away
the guilt by telling myself it would be a bad thing for someone point
Congress or the FTC to the archives of this mailing list for the
consensus view of the IRTF/IETF that a law requiring commercial certs
on mail would not only stop terrorism and child pornography but also
control spam.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg