ietf-asrg
[Top] [All Lists]

Re: [Asrg] 3b. SMTP Verification - Reputation Systems and their Problems

2004-03-03 14:17:21
Mark Foster wrote:
On Wed, Mar 03, 2004 at 02:37:23PM -0500, Yakov Shafranovich wrote:

In the current world the closest approximation we have to reputation systems that are planned with LMAP are blacklists and Senderbase. Given that current blacklists have numerous problems, why would any proposed reputation or accrediation systems of the future be any different? How are we planning on avoiding the same problems we have today in the future, if we want to deploy such systems?


I've been doing some research into the use of STARTTLS and certificate
verification. The possibility exists for overlaying a
PKI trust model onto the email infrastructure... not just S/MIME and
PGP/GPG, but securing the message relay transmissions (MTA to MTA).


The problem with the PKI model is key distribution. If we follow the current SSL scheme that might work BUT then you are making Verisign and other CAs the gatekeepers for the Internet - and can have repercussions. For example, in the SSL market according to (http://www.securityspace.com/s_survey/sdata/200402/certca.html), Verisign and Thawte have 30% and 20% each. HOWEVER, according to (http://www.thawte.com/html/CORPORATE/today.html), Thawte is owned by Verisign, which implies that 50% of the SSL market is controlled by one company. Do you really want a few companies to choose who gets the right to send email? Of course, a distributed system like DomainKeys can help with some of these problems, but the main problems that blacklists have are still there.

Also, SSL certificates today only *idenfity* the site, not provide its reputation. Changing CAs into reputation systems, will involve a whole new set of challenges. These challenges are mostly present today in blacklists which is exactly what worries me - I don't see yet how any of these problems can be avoided in any reputation systems.

Here are some of the problems with the idea. 1. Most if not all of the MTAs do not support certificate revocation lists (CRLs) or OSCP (although Exim will very soon).
2. The existing CAs do not sell these "types" of certificates (usually
just web server, s/mime for email and code signing).
3. The existing CAs do not fit easily into the role currently played
by the DNSBL folks. They would need to revoke certificates upon receiving
complaints from the community at large about abuse.


#1 and #2 can be solved (#2 especially since CAs will jump at it). HOWEVER, #3 is what worries me. What does "abuse" mean, how do we know that any of these CAs will be any more responsible than SPEWS is today? What about lawsuits? Dealing with different standards of spam and different legal standards?

Yakov

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg