From: "Kee Hinckley" <nazgul(_at_)somewhere(_dot_)com>
At 5:42 PM -0400 10/6/03, Ken Hirsch wrote:
I have proposed a specific anti-spam certificate which would only be issued
when the subscriber states what anti-spam policy will be followed and
contractually agrees to it.
AOL currently blocks 2 billion spam messages a day. Over 5% of the
internet is in their blacklist.
So they trust 95% of IP addresses, instead of the 0.1% that they should be
trusting..
[...]
Domain-based or sender-based certificates are nice for techies and
cool end-user software that doesn't exist yet, but they provide no
value at all to the major ISPs. They don't scale; ISPs are iffy
about doing one more DNS lookup on a connection, let alone validating
certs.
Where is the analysis that it won't scale? It seems to me that the current
system
where AOL has to block 2 billion spams a day is the one that has high overhead.
Does anybody have actual numbers on the overhead for establishing an SSL/TLS
session? Compared to, say, a DNS-based scheme?
And never mind the infrastructure changes. If you want to
provide an authentication system that will get adopted, design one
that solves the problem for AOL, MSN, RoadRunner, Earthlink and the
other big ISPs.
I won't mind the infrastructure changes because that's what this group is all
about.
I won't try to redesign the PKI or DNSSEC or TLS; those protocols and systems
have
already been designed by people who know more than I.
But I won't give up on authentication, because without it all the other
proposals
are a joke. The criminals will run their own name servers and abuse any
consent-framework.
If authentication must be DNS-based, so be it, but it must be POSITIVE,
white-list
based authentication, not blacklists, and authentication against a trusted third
party, not against name servers of unknown control.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg