From: "Ken Hirsch" <kenhirsch(_at_)myself(_dot_)com>
...
I think any general solution will depend on identity verification, which is
a key part of my plan. Anything else has to build on that. ...
That is a religious view in the sense that it is based on unquestioned
and unquestionable assumptions or axioms that cannot be reconciled
with the differing religious views or axioms behind SMTP. You assume
that accepting mail from perfect strangers is not worthwhile, but SMTP
is built on the opposite assumption.
You would do better address that underlying difference and consider
its implications.
You probably do not agree that your view denies the value of mail from
strangers, but it follows from the fact that a stranger even in the
CA business cannot verify the identity of a stranger that wants to
send you mail. You cannot trust a stranger's assurance that the
message your software is about to receive from a second stranger is
not also being sent to 30,000,000 of your friends.
A oddity is that the modifications to Internet mail that you propose
are not required to eliminate that troublesome mail from strangers.
You don't need new CAs or anything else to avoid all mail from strangers.
A smaller but still insurmountable problem is that the CAs that are
not strangers (e.g. Verisign) cannot be trusted to revoke, or through
no fault of their own, be able to revoke certificates. You have
mentioned having on the order of 1000 CAs. By coincidence that is
same order of magnitude as the number of ICANN or otherwise certified
domain name registrars. You cannot trust domain registrars to follow
their own announced, official policies for revoking registrations of
spammers (when they have such polices) or the policies they are required
by ICANN to have to require valid contact information.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg