Doug Royer wrote:
For small and reasonably well defined communities, a company signing
its employees certs, or various geekly groups who know each other,
sigs can work, but I've never been able to see a plausible way to
scale up to the whole world of e-mail.
This is mixing subjects. Being able to validate that the 'From' line is
not forged
has nothing to do with black or white lists. You can black or white list
based on email address as well as certs - no change to scaleability.
While S/MIME certificates may prove to you that a given email address or
domain is valid, the question is what do we do with that information?
The end goal here is to reduce spam - the question is how would the use
of S/MIME help with that?
This is the same problem that we face with LMAP/MARID proposals like SPF
- once you have established identity, what do you do with that identity?
Same for IP addresses of MTAs.
If over time I learn that 'spam-certs-ca' sells certs for any domain name
I can blacklist any cert signed by them. MUCH more scalable that
trying to guess the thousands 'From' address that may be sending spam.
Just like we cannot blacklist domain registrars, we will not be able to
do the same for CAs. All that the CA is providing is assurance that a
given email address or domain matches the information in the
certificate. They do not try to tell us whether a given person is a
spammer. Same for domain registrars.
Yakov
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg