Thankyou for your comments. My comments are in the body of the message
below. This post refers to the 'GIEIS' system currently at version 0.003.
An update was carried out on the next 4th July 2003. Datails of the 'CAA'
have be released as well as details regarding the 'CICFS' filtration system.
'GIEIS' has an extensive list of systems to be added and they will appear
as soon as the documentation can be written.
The 'GIEIS' system can be viewed here at:
http://homepage.ntlworld.com/giza.necropolis
Mark McCarron.
--__--__--
Message: 5
From: "Ken Hirsch" <kenhirsch(_at_)myself(_dot_)com>
To: <asrg(_at_)ietf(_dot_)org>
Subject: Re: [Asrg] The Solution To Spam - The First Response
Date: Thu, 3 Jul 2003 16:51:19 -0400
From: "Kee Hinckley" <nazgul(_at_)somewhere(_dot_)com>
> Identify verification is only part of the proposal I was responding
> to. The other piece was verifying the good behavior of cert owner.
> That requires a clearing house for complaints, an arbitration
> process,
I don't really expect that to be much of a problem. People are quite eager
to give you free help to find violators and it's not expensive to put out
spamtrap addresses.
Mark's Reponse:
Agreed. There are problem countries with respects to this.
From what we've heard from ISP's, complaints are rare and they manage to
handle those without huge expense. From all sources I've seen, the overlap
between IP addresses of spammers and IP addressses of legitimate email is
tiny.
Mark's Response:
I would agree with this too. If a company moves towards registration with
cert. authorties and the expense associated with it, then they tend to have
excellent customer relations also. It is a reflection of the serious nature
in which they view online business.
As long as problem M (below) is solved, there's really very little point in
the certicate holder fighting revocation, since once identity is
established
everybody else can use it to make their own determination as to whether to
accept mail from them.
Problem M (Multiple identities/certificates/IP addresses/domain
names/etc.):
> and a mechanism for ensuring that the same person doesn't
> pop up under a different name (which is a different sort of
> verification problem, as you point out). That's where I'd expect the
> expense to come.
This is key. But I think it is necessary for any permanent solution to the
spam problem. Everything else I've seen proposed is either a temporary fix
in the spam arms race or is something (such as RMX) that would only be
useful if used in conjunction with something that solves problem M.
Mark's Response:
The simplist way to achieve this is to raise the 'bar' for online
expenditure. Any company that would have a solid outlook on Internet based
trading would be able to afford in excess of £5,000 a year to pay on proper
digital registration systems and point-to-point contacts with businesses and
clients. If a company would find this expenditure difficult to reach then
it is a clear indicator that they are not ready for an Internet Solution.
It would assist small to medium size firms to seriously evalutate any
proposed web initiatives and detract from failed enterprise ventures.
> Never mind the question of how you certify someone in a country that
> doesn't have as codified a banking and company registration system as
> those where most SSL certs are issued.
This is a good question. I would hope that any people on the list with
knowledge about how CA's operate, especially internationally, would come
forward. Do you have any comments about Problem M? I notice that there is
a pbaker at VERISIGN.com.
Mark's Response:
Problem M is difficult to deal with in the majority of the world. In the
developed world the majority of businesses related all their information
against publically held data such as electoral rolls, credit information
etc. This is further related to government held files such as social
security (national insurance in UK) numbers and DMV (driver, motor,
vechical) records. In some countries relation to DMV is illegal. Also,
companies share information on customers who default payments. Ever details
can be searched and cross-referenced, this cuts down on the M factor but
does not eliminate it. In the financial world, the next step would be to
equate it against risk. That is, how much risk do you want to take in
lending money to this individual and a credit limit is established. In
digital terms of authorising a cert. this sense of 'risk' is lost. It would
not be in a cert. companies interest to rate certificates independently and
award a 'cutomer risk factor' assesment that was appended to the cert.
itself. Such as 'Bad Credit History', however, a public body like 'GIEIS'
would.
My earlier proposal about getting CAs more or less directly involved in the
spam problem might be misguided. As long as they can verify identity (in
the strong way, solving Problem M), then other organizations can build on
that to solve the spam problem.
Mark's Response:
That is not just the problem. The problem is the SMTP protocol and how it
allows emails to be sent from any location. The spam problem cannot be
solved without restructuring the Internet slightly as proposed in 'GIEIS'.
The essence of my earlier proposal:
(1) mail servers can accept mail (without challenge-response) only if it is
verified at either at the server level or the individual message level.
There are already technologies to do this (SSL client certificates,
IP-lookups to a verifying organization, S/MIME signatures, etc.).
The method must have a reliable, short chain to a responsible organization
or individual with strong identity (see Problem M).
It is not necessary that everyone choose the same method.
Mark's Response:
The verification process you describe requires a structure like 'GIEIS'.
Also, it does not address domestic accounts were the majority of spamming is
conducted from. You cannot expect everyone to sign up to a cert. authority
and have their background checked. IP/Lookups are pointless because almost
every aspect of the system can be used in a breach attempt. It is even
possible to intercept the automated look-up request itself and substitute a
reply.
(2) mail that cannot be so verified must be subject to challenge-response
authentication.
Mark's Response:
This will just annoy ligitimate users as spammers can bypass the system
easily anyway.
Conjecture:
It might be possible to grandfather-in existing SMTP servers that are known
to be legitimate. But the fact that there are soooo many SMTP servers is a
problem. Not only it in cumbersome to manage so many millions of items,
more importantly it is hard to even gather the data about who is sending.
You may never have received a message from fredsgrocery.com, but it may
well
have a legimate automated mailing system. (Obviously challenge-response is
mostly a problem with mailing lists and other automated mail systems.) If
you could find out all SMTP servers with a good reputation, you could
arrange to verify them by looking up, say,
63.10.45.12.presumedinnocent.org.
But it is critical that this NOT apply to new/unknown servers and it would
be subject to easy revocation.
Mark's Response:
Another factor is this, automated challange response systems may end up
challanging each other in an infinite loop. "Are you talking to me...".
Mark McCarron.
http://homepage.ntlworld.com/giza.necropolis
_________________________________________________________________
Get Hotmail on your mobile phone http://www.msn.co.uk/msnmobile
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg