At 15:44 -0400 4/29/03, Ken Hirsch wrote:
From: "Vernon Schryver" <vjs(_at_)calcite(_dot_)rhyolite(_dot_)com>
[...]
On the other hand, an x.509 cert tells you less than the typical domain
name whois data even with the best of intentions by all parties. The
name and address in domain name whois data is often maliciously bogus
for spammers. Why wouldn't the same apply to certs?
Mainly because the certs will cost a lot more than an IP address. The
contents of these certificates need to be standardized.
This is a very well-funded Western view of things.
Cost may be expressed as either money, or effort. I propose that any cost
that is introduced (and this applies to sender-pays "deterrents" as well)
must not be directly mapped to money.
There are many means of throttling the issuance and replacement rate of
certificates (e.g. an über-difficult applicant-side calculation that takes
a week to generate, or just a clock) that do not involve money.
> Note CAs and certificate issuers are quite different (assuming as you
> must that there are no self-signed certs). In your model CAs are very
> much like ARIN.
Wrong. In my proposal, the CAs are _required_ to have a procedure to
handle spam complaints and have automatic revocation checking of
certificates. ARIN, APNIC, etc. only allocate addresses and refuse to get
involved in spam prevention.
Yet "what is spam" remains a subjective matter. How will such things not
get into the same morass as, e.g. the domain name dispute resolution process?
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg