At 8:40 PM -0400 7/2/03, Ken Hirsch wrote:
> for how you use it afterwards. I would guess that, at a minimum,
the level of support you are requesting would result in a fee on the
order of $1000/year in order to support the necessary infrastructure
and support needs. It might be somewhat lower because the volume of
sales would be many orders of magnitude higher than SSL certs, but I
can't see it being any cheaper.
You say that like it's a bad thing. If it would reduce the number of
SMTP servers by one or two orders of magnitude, that's great! Perhaps
I'm not sure why that would be good. But leaving that aside.
But your assertion does not really check out. The extra cost for
identify verification should be on the order of $100 for the first
year and maybe $30 extra per renewal.
Identify verification is only part of the proposal I was responding
to. The other piece was verifying the good behavior of cert owner.
That requires a clearing house for complaints, an arbitration
process, and a mechanism for ensuring that the same person doesn't
pop up under a different name (which is a different sort of
verification problem, as you point out). That's where I'd expect the
expense to come.
Never mind the question of how you certify someone in a country that
doesn't have as codified a banking and company registration system as
those where most SSL certs are issued.
So, how much do CAs charge for code-signing certificates, which should
be comparable? The most expensive is Verisign, which is $400 the
first year and $300 for renewals. Others are half that.
Code signing certs are probably a better example than SSL certs. Do
you know how they handle complaints and revocations?
Right now the PKI is weak on certificate revocation, but that's not
strictly necessary. Third parties can label a given identity as a
spammer, just as they do for IP addresses.
Right now virtually none of those third parties have an arbitration
process. That would have to change.
Modulo the problem of countries without a reliable certification
structure, I actually I think that requiring signed certs on mail
servers is a reasonable thing to do. Forget revocation for spamming
and the like. At the very least it would solve the open-proxy
problem. But the third-world problem is a very real one. One of the
benefits of email right now is that it has created a level playing
field for communication throughout the entire world. Cutting the
third-world out of the information flow is not something I want to do.
--
Kee Hinckley
http://www.messagefire.com/ Anti-Spam Service for your POP Account
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg