All,
I am just working on a revision of my authentication and
accreditation paper. The point was raised that there is a potential for a
'lock in' situation similar to that created by the early web browsers which
included a limited number of CA roots for SSL. Since this is an important
point that has a widespread impact I think we should discuss it on the
general list.
First, do not assume that a static list is necessarily in the best
interests of the CAs accreditation authorities or other trust providers. One
of the weaknesses of the SSL and padlock scheme is that it limits the degree
of trust to a binary choice, either there is trust or there is not. This
prevents CAs from creating premium certification products that involve a
higher degree of authentication and hence assurance for a specific purpose.
I would like to be able to offer a certificate that is exclusively for
doctors for example and would be identified by means of a specific logotype
embedded in the certificate (this is being worked on in PKIX). There is also
a leveling down effect, the binary trust criteria does not require the CA to
accept any liability (VeriSign accepts up to $1 million) and some CAs do not
actually perform any authentication beyond checking that the credit card
payment clears. The risk here is that Gresham's law applies and bad
certificates drive out the good.
For the spam application we clearly do not want a binary
accreditation system. Although our ultimate decision is going to be binary
(accept/reject) or at best ternary (accept/questionable/reject) the data we
use to make that decision is inherently shades of grey where the weighting
factors are supplied by the end recipients.
I am using the term accreditation here loosely to refer to any
positive statement that is made concerning an email sender. This
accreditation might consist of authenticating the business registration of
the sender but I prefer when working in this particular context to reserve
that term for authenication of the sender's right to use a particular domain
name to originate spam.
The lock in potential here is that we reach a point where it is
effectively impossible to send email without providing some form of
accreditation. It is easy to see how this will arrise, there is a strong
positive feedback effect. As soon as a significant number of email senders
authenticate their mail there will be a significant number of people who use
that as a filter criteria. This will in turn create an incentive for others
to become accredited etc. The network effect here is devastating. That is
why it is such a good potential spam control.
I believe that we need to differentiate between a requirement for
accreditation becomming effectively compulsory and a requirement for
accreditation from a particular source becomming effectively compulsory. The
first may be a nuisance but so is spam. The only way to deal with spam
origination is to have some means of holding senders accountable, that will
inevitably mean the innocent bear some cost. Even if so the cost of
accreditation is only the same as the cost of an SSL cert today ($350) it is
a gain since most ISPs and email senders spend considerably more than that
getting themselves re-accredited in bilateral negotiations with blacklists
and major ISPs. The cost of accreditation is already there, deal with it.
So we are down to the question of how an email sender can use a new
form of accreditation that has never been seen before and for that
credential to establish the appropriate reputation (from always legitimate
to always spam).
I think we need to extend the LMAP concepts to cover this, lets
start from basics. We have a bunch of email servers for the domain
example.com which is in turn accredited by three organizations. I think we
need to have separate ways of encoding the two types of information:
8.0.30.195._smtp._lmap.example.com TXT "Yeah this cat can send
email"
9.0.30.195._smtp._lmap.example.com TXT "Yeah this cat can send
email"
10.0.30.195._smtp._lmap.example.com TXT "Yeah this cat can send
email"
11.0.30.195._smtp._lmap.example.com TXT "Yeah this cat can send
email"
_accr._lmap.example.com TXT "Accreditation 1"
_accr._lmap.example.com TXT "Accreditation 2"
_accr._lmap.example.com TXT "Accreditation 3"
Here I have deliberately used bogus text to get the idea across. The
reciever looking to validate email from IP address 195.30.0.9 would look up
the records for BOTH 9.0.30.195._smtp._lmap.example.com and
_accr._lmap.example.com.
The accreditation record needs to express the following information:
The protocol by which the accreditation may be confirmed
Unique key that identifies the source of the accreditation
The protocol address (can be the same as the key for the source)
Any additional data which might be required as a part of the accreditation
protocol.
For example imagine that there are accreditation services run by
promisenottaspam.com. The accreditation record for their "accredit one"
product might be something of the form:
_accr._lmap.example.com TXT "DNS TXT accredit.promisenottaspam.com www"
This would mean 'the accreditation is expressed by means of a TXT record
www.example.com.accredit.promisenottaspam.com'.
Note that we do not need to use the DNS to say whether this is a good or a
bad thing, the decision to apply weight and what weight to give to this
information lies with the recipient alone.
Over a short period of time feedback filtering systems would quickly
allocate the right weights to new accreditation schemes without the need for
user intervention. The feedback could be short loop (spambayes) where the
user provides direct feedback to an algorithm or long loop with a spam
filtering company in the loop.
The big advantage over this system over the current blacklist driven scheme
is that the sender of the email gets to choose the criteria they agree to
abide by, the recipient gets to choose the criteria they agree to accept.
There is no coercion by external agencies.
The accreditation source can measure who is relying on what information. One
of the weaknesses of the current blacklist configuration is that in effect
every blacklist is trying to control the whole world. Of course some people
like this, it fits their ego. The downside is that quality is variable and
there is no way to know how reliable a blacklist listing is.
We might see some blacklists cutting down on the range of sources that they
respond on. So for example if someone has a spam honeypot and is simply
listing out the authenticated domain names they see sending to the pot
people might advertise the existence of a new accreditation service even
though it was not positively accrediting them, only providing negative
accreditations of other sources.
Phill
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg