Barry Shein <bzs(_at_)world(_dot_)std(_dot_)com> wrote:
This is why I'm rather dim on the whole SPF/RMX/CallerID effort, I
think you're better off just coming up with a higher-cost
authenticated messaging using something like SSL and certificates or
PGP
To authenticate what, exactly?
Part of the problem is the lack of a naming scheme for domains. I
don't know if a company is at "example.com", or "example-company.com",
or "example-this-is-cool.com". The inability of the end user to trust
a name has a direct correlation to the spammers ability to abuse that
name.
DNS names are structured, but for marketing/political reasons,
everybody wants a "dot com" name. So even Canadian businesses aren't
using "example.ca", they're using "example-canada.com", or
"example-ca.com". That kind of nonsense is causing them problems, but
we're the ones asked to fix the problem.
So why not enforce structured names? It's technically feasible, and
is a start towards authenticating *something*.
... and just let everyone know that if it isn't via an authenticating
source then, well, it's no more trustable than any random letter you
get in your postal mailbox (Congratulations, You have just won one
of the following four prizes!)
That requires well-known sources. If I get a letter from my bank, I
have many ways of telling that the letter is authentic. If I get an
email from them, I have many fewer ways.
Signing messages is a start. But what identity is trusted?
example.com, example.ca, or example-canada.com? Without a trusted
naming scheme, cryptographic signatures not much more than a way to
burn CPU cycles.
Alan DeKok.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg