This posting relates to the 'GIEIS' system. This can be viewed at:
http://homepage.ntlworld.com/giza.necropolis
I must agree with Ken. It only makes sense to raise the current pricing
schemes to remove illigitimate companies from the Internet, leaving only
those with significant investments in the web business free to win back
public support.
By rasing the 'bar' of initial expenditure verus return we could eliminate a
significant porportion of Internet fraud. 'GIEIS' will employ this
technique as well as others.
Mark McCarron.
Message: 9
From: "Ken Hirsch" <kenhirsch(_at_)myself(_dot_)com>
To: <asrg(_at_)ietf(_dot_)org>
Subject: Re: [Asrg] The Solution To Spam - The First Response
Date: Wed, 2 Jul 2003 20:40:38 -0400
From: "Kee Hinckley" <nazgul(_at_)somewhere(_dot_)com>
> This list has had this type of discussion before. Those are
> approximately the requirements necessary for an SSL certificate.
> SSL certificates currently last one year at about $100/cert. The
> margins are such that virtually no background checks are done. And
> of course there is no revocation, arbitration or verification done
> for how you use it afterwards. I would guess that, at a minimum,
> the level of support you are requesting would result in a fee on the
> order of $1000/year in order to support the necessary infrastructure
> and support needs. It might be somewhat lower because the volume of
> sales would be many orders of magnitude higher than SSL certs, but I
> can't see it being any cheaper.
You say that like it's a bad thing. If it would reduce the number of
SMTP servers by one or two orders of magnitude, that's great! Perhaps
I should remind you that your own (reasonably priced) service is
$36/year per user. A $1000 would cover 28 people. I should hope the
average SMTP server services more people than that!
But your assertion does not really check out. The extra cost for
identify verification should be on the order of $100 for the first
year and maybe $30 extra per renewal.
For example, the cost of a passport application is $55 for the State
Department and $30 to the acceptance facility (usually the post
office). The USPS just announced the availability of a service for
CAs to check identities in person. I'm sure the cost will be
comparable to the $30 that they get for passport applications.
Or, my bank will do it for free for their customers, and there is a CA
(digitrust.com) that is associated with the American Banking
Association. Their charge is $175 for a business identification or
SSL certificate.
And why should it cost more? For the first time, somebody needs to
process the application, run a credit check, check ID against
databases. In time (<1 hour) and fees (e.g. $25 for a credit report), that
should be less than a $100. For a renewal, a good practice would be a
credit check (to see if there's anything really fishy) and mailing the
renewal code to the address to see if it's still good. An extra $30?
So, how much do CAs charge for code-signing certificates, which should
be comparable? The most expensive is Verisign, which is $400 the
first year and $300 for renewals. Others are half that.
Right now the PKI is weak on certificate revocation, but that's not
strictly necessary. Third parties can label a given identity as a
spammer, just as they do for IP addresses.
In fact the PKI as it stands is adequate for identify verification, at
least in the United States, but as I indicated in earlier messages,
that's not quite enough to prevent spam. You also need (at least) the
property that there are not too many certificates per person (although
the cost does put some limit on it.)
PKI provides
certificate => identity
but not yet
identity => few certificates
Note that IP addresses and domain names provide neither property.
_________________________________________________________________
Stay in touch with absent friends - get MSN Messenger
http://www.msn.co.uk/messenger
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg