From: "Jim Youll" <jim(_at_)media(_dot_)mit(_dot_)edu>
Mainly because the certs will cost a lot more than an IP address. The
contents of these certificates need to be standardized.
This is a very well-funded Western view of things.
Cost may be expressed as either money, or effort. I propose that any cost
that is introduced (and this applies to sender-pays "deterrents" as well)
must not be directly mapped to money.
There are many means of throttling the issuance and replacement rate of
certificates (e.g. an über-difficult applicant-side calculation that takes
a week to generate, or just a clock) that do not involve money.
Yes, I said that certificates should be expensive and/or inconvenient to obtain.
Certificates should say (and do, to some extent), what it is they are
certifying and
what procedures were used for verification. A recipient should be able to
choose
what class of certificates are acceptable, and which CAs are acceptable. A
certificate that provides strong identity (e.g. government-issued) is not by
itself
sufficient as an antispam certificate. A CA would have to (1) check it against
a
database of known spammers (2) get the person to sign a contract to abide by a
set
of antispam policies and (3) have a set of procedures to handle complaints
against
the person (including reporting the person to the database if they do not
cooperate).
But, yes, in the Western business world, money is the easiest shortcut to
prevent
the proliferation of too many certificates.
[...]
Yet "what is spam" remains a subjective matter. How will such things not
get into the same morass as, e.g. the domain name dispute resolution process?
The antispam policies should be, as much as possible, objective and verifiable.
Some that I suggested are:
- no open relays
- more generally, no sending of mail from unauthenticated parties
- no sending allowed to harvested emails
- double opt-in required for mailing lists.
- Opt-out requests must be honored
- all senders identities and addresses have been authenticated.
(e.g. road-runner, but not Hotmail)
In each email message, the class of sender and/or email should
be indicated
Some possiblities:
- This is a free email account without identity verification
- This user is limited to 100 messages/day
- This user is limited to existing correspondents + 10 messages/day
- This user has been active for more than 180 days and has no complaints
- This a new user
- This user is a paying customer resident in same country as ISP
- This email is an advertisement to existing customer
- This email is non-advertisement to existing customer
- This is a challenge message for email list subscription
- This is a challenge message for antispam purposed
- This is a message for a subscribed and confirmed email list
etc.
The properties that are supported are related to the general
anti-spam policies listed in the certificate.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg