Why can't I buy one SSL cert and put it onto as many sites as I like?
Because each site has a unique DNS entry. I don't think a system that
requires a DNS entry for every message you send would work very well.
I am straining to imagine why you would say this. Seriously. I'm
mildly boggled. So forgive me if my response misses your point:
Uh, Barry, that's how SSL certs on web sites work. Every web site has
a DNS entry, the name in the cert has to match the name in the DNS
that a www client uses to find the site. That's what prevents "double
spending" certs to keep you from putting them on as many sites as you
like. If you have a dozen servers with the same name, you can indeed
put the same cert on them, but unless they are load sharing mirrors
with the same content, the results would be too strange to be useful.
If you have a thousand different certs, you need a thousand DNS
entries to match them.
That system, the one with the "postage meter", has to have something
akin to an SSL cert to generate that "stamp" so the stamp would pass
basic authentication by the receiving host, much like any browser can
spot a phony SSL certificate.
I think we all get this part, the bank that issues the postage meter
signs the meter's cert, which signs the stamp which is bound to a
particular message, presumably with a hash of the contents, sender,
and recipient, or something like that. Mail recipients would have a
list of credible banks, along the lines of the list of SSL signers
that web browsers have now. No question, we know how to do that.
If you include the envelope in the stamp, you have all of the path
problems that SPF has. If you don't, you have no protection against
sending the message to multiple recipients. But let's just wave our
hands and ignore that problem for now.
I don't see where "a DNS entry per message" enters into something like
this at all any more than a "DNS entry per web page" would in a web
server SSL cert context.
There's a key difference here: once you have an SSL cert for a web
site nobody cares whether there's one page or a million pages on the
site. But if you're doing postage, the whole point is to limit the
number of messages, so you need some way to tell them apart so you can
count them.
That all makes sense, but I still don't see a reasonable process for
monitoring the mail. Bad guy gets a meter, prints himself 100 stamps,
Stop. How does he get a "meter"?
He buys one from the cheapest sloppiest bank around, of course. There
will be the inevitable race to the bottom, with the banks doing the
absolute minimum necessary to avoid annoying recipients so much that
they manually take them out of the recipients' list of issuers.
Experience suggests that you'll have to be really horrible to have
that happen, and even if half of the recipients blackball you, the
other half will still be delivering a lot of spam.
Again, let's go back to the SSL cert example.
Bad guy gets an SSL cert...Stop! Not so easy.
You're kidding, right? When's the last time you got an SSL cert? I
happened to get one for my sister yesterday. I looked around to find
out who's the cheapest, found someone selling them for $12.95
(servertastic.com), paid with a credit card which, since I am honest,
was actually mine, clicked through on a URL in an email message sent
to postmaster@<cert domain>, and got the signed cert, in a total of
about five minutes. If I did it very often, I could easily have
scripted it. This is the reality of Internet security today.
In the cert biz, they now have "high security" green bar certs which
roll the clock back to the price and somewhat more stringent
investigation that all certs required a decade ago, but it's just a
matter of time before those race to the bottom, too.
puts each of them on 100,000 pieces of mail and blasts out 10 million
spams to random recipients. Are you assuming that each stamp would be
keyed to a particular message and envelope? That's sort of what
Goodmail does, although it's rather hard to make it tamper-resistant.
It wouldn't be valid, it wouldn't pass superficial checks by the
receiving MTA, any more than a bad SSL cert would pass superficial
checks by a browser.
I think it's reasonable to assume that bad guys will be able to crack
any software based meter. (An obvious attack is to snapshot the newly
installed meter and restore the snapshot whenever it runs out of
money.) Are you expecting meters to include tamper resistant hardware?
That's not out of the question, but it raises the price, and it's hard
to think of a situation where widely deployed tamper resistant
hardware in hostile environments has resisted attack.
I'm not saying that it's hopeless so give up, but I'm definitely
saying that any proposal that depends on large numbers of people
acting against their very short term interests is unlikely to work.
R's,
John
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg