From: "Kee Hinckley" <nazgul(_at_)somewhere(_dot_)com>
CAs exist, but they do nowhere near the validation you want them
too--and they virtually never revoke a certificate. It took me three
weeks to hear back from my CA *how* to revoke a certificate that I
*wanted* revoked--and they had no standard mechanism to do it.
They do different levels of validation depending on what kind of certificate is
required. I'm really not worried about the process within the United States.
We
have mechanisms for this. When I opened my first brokerage account, I had to
take
my driver's license to a bank and sign the form witnessed by an officer of an
FDIC-insured bank--yes, it was that specific. Here we have pictures on driver's
licenses, equifax, social security numbers and so on. It is by no means
difficult.
In other countries, I worry, but not here.
They
certainly aren't set up to do dispute resolutions or any of that.
True, and I expect them to work with other organizations for that, as I
indicated.
_Somebody_ has to do it no matter what system you have. There really aren't
many
complaints against legitimate users. It shouldn't be that big a deal.
The group you are ignoring are the medium sized businesses. They
can't afford what you're pushing. You need to either make your certs
so airtight that a spammer can't simply create a new business every
month and get a new one, or else so expensive that the spammer can't
afford one.
Making them "that airtight" is not that hard--in the United States! Businesses
that
have a real credit history and a physical street address shouldn't have much
trouble
getting a certificate. If they need one. Which they don't.
You just have to make it a few orders of magnitude harder for the bad guys to
start
up a new server. You won't eliminate it totally. But AOL won't have to block 2
billion spams per day.
As for your "it's easy" statements. They all deal with technical
issues. Not business and political issues. Most companies do *not*
like to outsource mission critical technology. You like phone
comparisons. Compare the market for in-house phone systems to
outsourced (to the phone company) systems. WHich is larger. Why?
Every company in the world uses the phone company. Some also have internal
systems,
but they use the PSTN to call the business across the street. I haven't found
companies reluctant to outsource. Our company outsourced our mission-critical
faxes
to Cable&Wireless because it was cheaper and more reliable to do it that way. I
send 3,000 pages a day from my server alone. Yeah, the same server that
forwards
all email through another server.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg