From: "Ken Hirsch" <kenhirsch(_at_)myself(_dot_)com>
name whois data even with the best of intentions by all parties. The
name and address in domain name whois data is often maliciously bogus
for spammers. Why wouldn't the same apply to certs?
Mainly because the certs will cost a lot more than an IP address. The
contents of these certificates need to be standardized.
How much more? A Verisign cert currently costs about the same as the $120
to $360 per year price of an IP address from Earthlink, Juno, etc.
Why would I pay at least $120 to $360 per year to get your spam-CA to
swear rhyolite.com doesn't send spam? I've never had a mail blocking
problem.
Note CAs and certificate issuers are quite different (assuming as you
must that there are no self-signed certs). In your model CAs are very
much like ARIN.
Wrong. In my proposal, the CAs are _required_ to have a procedure to
handle spam complaints and have automatic revocation checking of
certificates. ARIN, APNIC, etc. only allocate addresses and refuse to get
involved in spam prevention.
Who will enforce that requirement on your CAs? ISPs and registrars
are ignoring their promises to cut off spammers.
...
So your certs include some sort of spam policy? I missed that. Why
would it work better than the abject failure that is the "web page
privacy policy" protocol?
Because these policies would be used by programs at all the major ISPs. The
P3P doesn't really have any automated use.
Again, why will your program differ from P3P? The P3P people said there
was supposed to be automated use of it. Netscape 7 can be told to
pay attention to it.
...
Probably quite a few would say "we send spam". More to the point, there is
no universally accepted definition of spam, but this proposal allows senders
to declare exactly what email they allow as well as, optionally, the
properties of the individual messages and senders.
How are you going to encode a declaration of exactly what is sent into
at most a dozen bytes? Remember that your certs have to be tacked onto
every mail message.
...
Why wouldn't it be
the same as the current anti-spam policies of ISPs? Today you can
instantly find the ISP that issued an IP address "cert" and review
its spam policy.
1) It is _not_ easy even for a human to find the policy.
2) It is impossible to programs to use this information.
3) There is no standard way to tell if they are in compliance.
The same applies to you proposal.
That is simply wrong. All spam carries the unforgeable signature
of a sending IP address.
Unforgeable? Well I guess you sent this spam, then!
Received: (from vjs(_at_)localhost)
by calcite.rhyolite.com (8.12.9/8.12.9) id h3TGUhsH011243
for asrg(_at_)ietf(_dot_)org env-from <vjs>;
Tue, 29 Apr 2003 10:30:43 -0600 (MDT)
From: Vernon Schryver <vjs(_at_)calcite(_dot_)rhyolite(_dot_)com>
Message-Id:
<200304291630(_dot_)h3TGUhsH011243(_at_)calcite(_dot_)rhyolite(_dot_)com>
Subject: + Database of 200 mil U.S. Citizens! vtb m
...
I don't know what you think that might represent. I do know it does
not contain an IP address. RFC 2822 headers even when they mention
an IP address are not IP addresses.
Please offer a detailed explanation of how you can forge the IP address
of an SMTP client connecting to an SMTP server so that the SMTP server
gets the wrong idea. Note that by my definition, the IP address of
the SMTP client is on the outside of a NAT box or other proxy. The
client's IP address is in the source field of the IP header of its
initial and every subsequent SMTP/TCP/IP packet.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg