From: "Mark McCarron" <markmccarron_itt(_at_)hotmail(_dot_)com>
To: asrg(_at_)ietf(_dot_)org
Subject: [Asrg] Choicelist - The problems
Date: Sun, 06 Jul 2003 20:12:28 +0000
Choicelist - A list of problems
1. Interception of data streams to and from proxy.
Quote from the PDF on my site:
"Choicelist by Proxy would be less secure and fast than using an MUA
compatible with Choicelist, but
would allow anyone to gain the advantages of Choicelist without changing
Email software."
2. Doesn't prevent spam to user's account, only that which is directed to
choicelist.
Choicelist is a filter bypassing system, it allows existing filters to work
harder because it minimizes the risk of false positives.
3. Whitelisting is easily bypassed by forging the sending address, ip
address, etc.
2 more quotes from the PDF:
"Choicelist provides a way for these 2 things to happen easily, as well as
provide other information such as content labeling, or authentication
information (PgP signature key, authorized sending IP address, Etc…)."
"Mail must pass the authentication tests selected by the identity controller
before it is delivered in the name of that identity."
Any type of message authentication system can be used, even ones that
haven’t been invented yet.
4. Instant opt-out only applies to Choicelist not email from other
sources.
It only has to work on Choicelist enabled mail because Choicelist gives an
advantage as soon as 2 people start using it. From there the advantage just
gets stronger.
5. Interception of data streams at master server.
2 more quotes:
"The entire database will be available in weekly releases as a collection of
100 Mb files and the MD5 checksum for each one."
"Using the public database releases to create a private mirror is the most
secure way to access the database."
6. 'Secret code' can be intercepted from email.
You are correct. Though if your messages can be intercepted or re-routed by
someone you have bigger problems than spam.
Also, this is a problem that can be fixed by only minor human intervention
at Choicelist by the responsible parties.
7. Database size to impractical for mass deployment.
It is a large database now, but the database size will not grow nearly as
fast as our ability to deal with it.
Therefore over time the database will appear to shrink.
10 years ago 1 Gigabyte of storage was huge.
Now I can't buy one less than 20 Gigabytes in size.
10 years from now the entire database may be held trivially on a memory
stick...Who Knows.
This is a long-term solution.
These are the main weaknesses of the system. I'm afraid it would not stop
spam or even reduce it by any significant amount. Spammers, as you have
stated would avoid the system, however, it would be because they can still
continue to send spam the way they currently do.
Choicelist just creates a list that may bypass filters on the web. In
order to bypass these filters procedures would have to be adopted to allow
deactivation of the filters for bulk email transmission.
Choicelist does not deactivate filters, it sits beside them. Non-Choicelist
mail has no choice but to go through them.
This could perhaps lead to developing a larger weakness, in that, hackers
may intercept any codes used to control filters.
There is no control of filters granted by Choicelist. Choicelist merely
hands mail to the filters if the sender is not registered with Choicelist.
The only way choicelist could secure bulk email would be integrating it
upon the 'GIEIS' architecture, however, 'GIEIS' has unbreakable methods of
handling bulk email already.
Perhaps your magical EAS can solve world hunger and make pigs fly too.
Touch\xE9!
John Fenley
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg