ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Email Postage (was Re: FeedBack loops)

2008-11-19 19:45:49
from [Gerald Klaas] [Permanent Link] 
Then somewhere around there they better get their own "postage meter"
just like at some point someone using a shared SSL cert oughta get
their own SSL cert, or other such services.


Why not create a standard framework for retrieving and sending "stamps"
(such as the format of a message header line or MIME type) and let recipient
ISP's run their own "postage meters" ?  The recipient ISP could decide under
what circumstances they would frank stamps, and only accept stamps that they
generated.

Gerald



On Mon, Nov 17, 2008 at 2:03 PM, Barry Shein 
<bzs(_at_)world(_dot_)std(_dot_)com> wrote:



On November 17, 2008 at 15:09 sethb(_at_)panix(_dot_)com (Seth) wrote:
 > Barry Shein <bzs(_at_)world(_dot_)std(_dot_)com> wrote:
 >
 > > Amazon buys cryptographic cookies and puts them in the email header.
 >
 > What does Grandma buy?

Grandma doesn't have to buy anything in the typical case, as I
envision this.

For most regular users their ISP would stick a stamp on at the MTA,
much like DKIM or whatever, some sort of header.

One would assume that ISPs who do this sort of end-user service would
get all the stamps they need for this for some flat fee which could be
zero but let's be realistic, but think SSL cert charges. There'd have
to be some guidelines to prevent blatant abuses, which in turn would
be some incentive to prevent customers abusing.

 > > These can be verified independently by a receiver (MUA, MTA, whatever,
 > > that's policy.)
 >
 > What stops Amazon from re-using the purchased cookies?  Panix has no
 > way of knowing if World received email that used the same cookie.

I guess the same thing which stops amazon from taking your order and
sending you nothing (thanks sucker!)

There are cryptographic techniques to help with avoidance, detection,
recovery, etc.

But the short answer is: If they get caught they presumably have
committed at least damage to their good will (think: like one's credit
rating), possibly tortious for various reasons, and conceivably
criminal, fraudulent, once things get going and courts might recognize
that maliciously counterfeiting these credentials is a problem w/in
their jurisdiction.

Maybe ISPs and others who were relying on this pool of funds would
boycott them until they've certifiably cleaned up their act.

Go ask amazon what they'd think of a day without google mail.

 > > But here's a better one: Limits, unless explicitly waived.
 > >
 > > Grandma can send, I dunno, pick a number, 1,000 free messages a day
 >
 > Enforced by whom?

I guess her ISP, like limits on her inbox size, etc.

 > > (receiving isn't involved), that'd slow down any spammer.
 >
 > Like one with 10 million zombies?

Well, the current situation is infinite, or full capacity of the
zombied machine and its connection anyhow.

And little or no motivation to even meter that activity let alone act
on that non-existant metering.

Now we've created some motivation. A system which actually pays the
ISP (as I've said before and maybe even the end-user but that's
marketing.) But only if it's reasonably reliable.

In a way there's a wonder asymmetry involved here.

An ISP might at some point say to (e.g.) Amazon: As of DATE we no
longer will accept email from (e.g.) Amazon unless it's properly
franked. Probably they'd say that at the point that it's already true,
but you go one by one down the list or whatever.

Now, could Amazon say to ISP: Well, then *WE* won't accept email from
YOU unless it's properly franked!

OF COURSE NOT! Amazon (e.g.) WANTS their customers' business!

That's the asymmetry which is being utilized here.

 > >  Maybe as an ISP I'd up you to 10,000/day free merely for asking,
 > > grandma would never ask, if you're aware enough to ask you probably
 > > aren't that likely to be zombied.
 >
 > Are you going to pay real people to answer the phone, or will you
 > accept requests by computer (from zombies)?

Passwords, captchas, etc.

How do I order anything of value from my ISP like web site services,
virtual mail domains, etc etc etc.

C'mon, you're just grasping for straws here, right? You know all this.

You do as much as the security warrants. For something like "I run a
small list, 1,000/day isn't enough, can I have the free 10,000/day?"
that's a pretty small security risk really, a captcha or similar might
do it.

And to anticipate your next response: And if they need 100,000/day?

Then somewhere around there they better get their own "postage meter"
just like at some point someone using a shared SSL cert oughta get
their own SSL cert, or other such services.

Whether that's free or not, or one time flat fee like an SSL cert, is
a different discussion. I'd envision several possibilities depending
on use (commercial vs non, etc.) or maybe it's cheap enough that
there's no need for that at that level, it's only a significant cost
for someone who sends out millions and millions per day.

--
       -Barry Shein

The World              | bzs(_at_)TheWorld(_dot_)com           |
http://www.TheWorld.com <http://www.theworld.com/>
Purveyors to the Trade | Voice: 800-THE-WRLD        | Login: Nationwide
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg


_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Email Postage (was Re: FeedBack loops), Gerald Klaas
Next by Date:  Re: [Asrg] Email Postage (was Re: FeedBack loops), Gerald Klaas
Previous by Thread:  Re: [Asrg] Email Postage (was Re: FeedBack loops), Barry Shein
Next by Thread:  Re: [Asrg] going aound in circles, was Email Postage, John Levine
Indexes:  [Date] [Thread] [Top] [All Lists]