At 4:58 PM -0400 4/28/03, Ken Hirsch wrote:
>I doubt a certificate authority could manage to police the system as
you indicate without significantly increasing that price.
That may well be. Note that the certificate authority is not the only
one doing policing, though. If messages are authenticated, it is much
easier to detect abuse and filter it. Even at $100 per cert, if abuse
is detected after 10,000 messages, that's $.01 per message, which may be
enough to dissuade the abuse. Plus the certificate authority will have
at least some identifying and financial information to prevent the
abuser from acting again.
If the authority is not revoking certs, then you have a situation
identical to what we have now. Blacklist operators with lists of
invalid IPs become blacklist operators with lists of invalid certs.
Not much gain.
The certs should be expensive. One per ISP is enough, so $1000, $5000, or
even $10,000 would not be unreasonable. I can hear the small ISPs screaming
now, but they could contract out SMTP service.
Never mind small ISPs. What about *companies*? There are several
orders of magnitude more of them running mail servers than ISPs.
What are they supposed to do?
>> - no sending allowed to harvested emails
It's not clear how you enforce this, or deal with an expensive dispute
process.
People already create fake addresses to detect harvesters. If a sender
uses these then the burden would be on him to show that he was tricked.
This should promote good practices (double opt-in, logging of web-based
subscriptions, etc.) to avoid penalties.
Sure. But given that you've punted on enforcement, how is this world
any different than the current one.
>I think the existing commercial list providers have made it clear that
>they will not do confirmed opt-in. And even on this list people have
pointed out that confirmed opt-in loses legitimate subscribers.
Perhaps if there were MUA support for it, but otherwise I don't think
you'll get sign on.
They may well object, but I'm under no obligation to accept them,
either. My proposal is not to make any of these policies mandatory, but
only to mandate authentication and truth-in-labeling.
No, *you* don't have to accept them. But a solution which leaves out
every major bulk mail company, all the major etailers, not to mention
your local bank, is not likely to fly very far.
--
Kee Hinckley
http://www.messagefire.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg