Instead of certificates, why not just use the Bonded Sender approach and
use PTR queries to a whitelist DNS server or group of servers? A quick DNS
query is less intensive than cryptography and requires less programming.
Besides, running a CA is a huge undertaking.
TTUL
Ken
--
http://ttul.org/~ksimpson
On Wed, 30 Apr 2003, Ken Hirsch wrote:
From: "Kee Hinckley" <nazgul(_at_)somewhere(_dot_)com>
I'm sorry, I have no sympathy. You're just whining, "I'm not part
of the problem,
why should I bear any inconvenience or expense?" Because the current
system
(anarchy) is broken.
You are completely missing the point. This has nothing to do with
me. This is a business reality. It's like you woke up one day and
said, "I've got the solution to pollution! Everyone will junk their
cars and use buses!" Sure, it's a solution. But it's not going to
happen. You can't force that kind of solution on people, they won't
accept it. A small cost (akin to current certs), sure. But the kind
of cost, inconvenience, loss of of control and loss of privacy you
are discussing? It doesn't meet the ASRG requirements for a system
which can be adopted.
Sorry, but I'm not proposing everybody give up cars. In fact, my solution
is a lot less intrusive than catalytic converters, which did get adopted.
People manage to deal with _a lot_ of regulations for their cars because
they have to share the road: driver's licences, insurance requirements,
license plates, safety inspections, emissions checking, and so on. What I
am proposing is about equivalent to requiring a license plate on a car.
It's trivial.
This is not a big inconvenience, the cost is small, the loss of control is
negligible. If people were really concerned about privacy, they would
encrypt their email. They don't. If you have the volume and really need
that tiny extra bit of control, pay for the certificate. If you are
legitimate, it will last a long time and the cost per email will be trivial.
Only people whose certificates are revoked will end up with a high
per-message cost.
Vernon Schryver has brought up legitimate questions--Will the policies
_really_ be enforced? Can you encode useful policies in a certificate? I
think the system will work, but these are open questions. But I just don't
believe people care about the ability to do point-to-point SMTP.
Every phone call anybody makes works this way. It gets routed through just
a few companies and they know whom you are calling. It is just not an
issue.
> - I don't want my ISP to be able to see who I am sending email to.
They can now. Trivially.
Not when I'm using SSL.
And I'm not proposing stopping you. Carry on with those few SMTP servers
that support it. Very little email moves that way. If this were such a
major concern that it was a show-stopper, everybody would encrypt their
email or use TLS. But they don't. 99%+ of email is not encrypted.
(And of course, you can still encrypt email sent the way I propose.)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg