On Sat, Nov 22, 2008 at 14:02, John R Levine <johnl(_at_)taugh(_dot_)com> wrote:
It's not very hard to type "attention bonds" into Google, but if you don't
want to do that, here's a blog entry I wrote a few years ago:
http://weblog.johnlevine.com/Email/attentionbond.html
So, to briefly summarize your objections and comment on them...
1. There's no way to set up a micropayment system that can't be hacked
around.
Evidence? That's a pretty strong assertion, given that we have systems like
SSL in place.
1.a. Bad guys will send fake payments from fake banks.
Which won't clear. Remember, unlike the checking system and the credit card
system, we can assume that every system that might need to be able to verify
a payment is connected to the network.
1.b. Bad guys will induce lots of people to e-mail them so they can collect
the payments.
Yeah, right. Just like everyone currently replies to spam messages they get?
I'm sure they'll be even more likely to reply when it might cost them money.
1.c. Bad guys will forge mail purporting to be from your friends.
And? It doesn't matter if they forge the identity, if they still have to
pay. It's the paying that makes the spamming uneconomical, not the
verification of identity. But if this really became a problem, smart friends
would start using S/MIME.
2. The infrastructure is too expensive for micropayments to work.
Maybe. It seems to me that if you can sell an MP3 or ringtone for a dollar,
or sell an SMS message for 10 cents and handle all the billing and still
make a profit, then selling an SMS-sized cryptographic postage hash for a
dollar ought to be pretty manageable.
3. It'll kill e-mail from countries with non-convertible currencies.
So anyone who cares about hearing from those countries can set up filters on
their inbox. And the rest of us, including people like me who currently
spam-filter everything from those countries anyway, can ignore that issue.
4. The banking system can't deal with that many transactions.
Yes, we might need O(1000) PayPals, by your figures. How many ISPs are
there?
5. There's no way to distinguish real banks, hence no way to distinguish
their bonds from (say) First Deceased Military Officers' Bank of Lagos,
Nigeria (sic).
Like there's no way to distinguish legitimate SSL certificate issuing
authorities, right?
6. It'll need strong authentication, and if you have strong authentication
you might as well just use that to solve the problem.
Like how? Please enlighten us as to how strong authentication can solve the
spam problem more directly, as we already have a workable scaleable strong
authentication system in S/MIME, and if we can leverage it to stop spam then
I'm ready to give it a try right now.
mathew
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg