From: "Ken Hirsch" <kenhirsch(_at_)myself(_dot_)com>
I think there are important differences:
Can you tell who is responsible for the mail server?
Now: Sometimes
Proposal: Yes, instantly
Can you tell who issued/can revoke the IP address or certificate?
Now: With difficulty
Proposal: instantly
That is backwards. Anyone can now instantly tell who is responsible
for an SMTP client. The SMTP client's IP address can be associated with
a responsible party by checking routing tables and IP address whois
data. That might not give you the address of the spammer, but it does
give you the name and address of the party who should stopping the spam.
On the other hand, an x.509 cert tells you less than the typical domain
name whois data even with the best of intentions by all parties. The
name and address in domain name whois data is often maliciously bogus
for spammers. Why wouldn't the same apply to certs?
Note that domain name and IP address whois data differs significantly.
Number of authorizers of IP addresses: thousands, who knows?
Number of CAs: A few dozen to maybe a few hundred
That is wrong. Either your CAs correspond to the handful of organizations
like ARIN or they correspond to the bazillions of ISPs.
Note CAs and certificate issuers are quite different (assuming as you
must that there are no self-signed certs). In your model CAs are very
much like ARIN.
Can you tell the spam policy of responsible party?
Now: no (never in machine-usable form; hard to find for humans)
Proposal: yes, it's right there in certificate, in standard form
So your certs include some sort of spam policy? I missed that. Why
would it work better than the abject failure that is the "web page
privacy policy" protocol? Why would it be an honest statement? What
outfit would have certs that say "we send spam"? Why wouldn't it be
the same as the current anti-spam policies of ISPs? Today you can
instantly find the ISP that issued an IP address "cert" and review
its spam policy.
Can you tell who to contact about spam?
Now: no
Proposal: yes
There is no spam today for which anyone who understands how things
work doesn't know whom to contact. Anyone who can't figure out who
to contact about spam today, still won't be able to with your certs.
Can you show that spam was sent from server?
Now: no
Proposal: yes, cryptographically signed
That is simply wrong. All spam carries the unforgeable signature
of a sending IP address.
Can you tell anything about the email content/sending user?
Now: no
Proposal: Maybe (policy-dependent)
Yeah, right, just like the TrustE certificates or Topica's "gold members."
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg