On Sun, Sep 28, 2003, Bill Weinman wrote:
I have just finished a new draft of the AMTP specification. I would welcome
comments from this group.
Question: what do you gain by requiring a cert? Whom do you trust
to be a CA? BTW: the hierarchical structure of X.509 certs is
fine for companies, but not for others, where a "web of trust"
would be more appropriate.
It seems that all you get is that the spammers just pay a bit of
money to some CA to send out their stuff.
It would be nice if someone categorizes the ways how spam reaches
the recipients (open relay, proxy, trojaned PCs, directly from
spammers, etc), and the explain how you can defeat those (DNS BLs
for the first two at least, rMX/designated sender can help in some
cases, etc).
Your requirement 4.2 (2) (unfortunately the items aren't numbered)
solves the first the entries from the list above, but it doesn't
do anything about the direct spammers. However, it would kill a lot
of legitimate MTAs (or force them to spend extra money which I
wouldn't do: I provide free software support, I certainly wouldn't
spend extra money on that). These financial requirements hurt the
wrong people, not the spammers. This looks like a way to generate
income for some companies. Why should CA issuers be any better
than ISPs providing connectivity for spammers?
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg