On December 3, 2008 at 12:08 johnl(_at_)taugh(_dot_)com (John Levine) wrote:
Why can't I buy one SSL cert and put it onto as many sites as I like?
Because each site has a unique DNS entry. I don't think a system that
requires a DNS entry for every message you send would work very well.
I am straining to imagine why you would say this. Seriously. I'm
mildly boggled. So forgive me if my response misses your point:
Uh, Barry, that's how SSL certs on web sites work. Every web site has
a DNS entry, the name in the cert has to match the name in the DNS
that a www client uses to find the site. That's what prevents "double
spending" certs to keep you from putting them on as many sites as you
like. If you have a dozen servers with the same name, you can indeed
put the same cert on them, but unless they are load sharing mirrors
with the same content, the results would be too strange to be useful.
If you have a thousand different certs, you need a thousand DNS
entries to match them.
One would only need a "cert" to create a stamp for a message. You
don't need a cert for every stamp or whatever it is you're saying.
That system, the one with the "postage meter", has to have something
akin to an SSL cert to generate that "stamp" so the stamp would pass
basic authentication by the receiving host, much like any browser can
spot a phony SSL certificate.
I think we all get this part, the bank that issues the postage meter
signs the meter's cert, which signs the stamp which is bound to a
particular message, presumably with a hash of the contents, sender,
and recipient, or something like that. Mail recipients would have a
list of credible banks, along the lines of the list of SSL signers
that web browsers have now. No question, we know how to do that.
Ok.
If you include the envelope in the stamp, you have all of the path
problems that SPF has. If you don't, you have no protection against
sending the message to multiple recipients. But let's just wave our
hands and ignore that problem for now.
Ok.
I don't see where "a DNS entry per message" enters into something like
this at all any more than a "DNS entry per web page" would in a web
server SSL cert context.
There's a key difference here: once you have an SSL cert for a web
site nobody cares whether there's one page or a million pages on the
site. But if you're doing postage, the whole point is to limit the
number of messages, so you need some way to tell them apart so you can
count them.
Well, there are two things here:
a) How can the issuer count them.
b) How can someone else detect a duplicate later if they were so
interested.
The issuer, for a consumer isp that'd be the ISP's MTAs, could just
keep a simple count by sender and do what they like policy-wise with
that info.
It's "b" which makes it interesting; how do we let everyone
(interested) participate.
So a "stamp" should be designed to have a signature from the MTA
identifying the "postage meter" and a serial number or equivalent,
both in a format difficult to forge or tamper with.
But the postage meter part only needs one "cert" for a realm, in
theory. It could have more but one is enough, much like SSL certs.
That all makes sense, but I still don't see a reasonable process for
monitoring the mail. Bad guy gets a meter, prints himself 100 stamps,
Stop. How does he get a "meter"?
He buys one from the cheapest sloppiest bank around, of course. There
will be the inevitable race to the bottom, with the banks doing the
absolute minimum necessary to avoid annoying recipients so much that
they manually take them out of the recipients' list of issuers.
That's fine. If the spam isn't bothering them then by all means accept
all those "Dewey, Cheathem, & Howe" signed certs.
I've said before you should be free to accept totally unstamped email
if you like so that's just a special case. There's also accepting only
stamped email but not checking if the stamp is valid. It's your
system.
But if I'm BIGISP and first I say: we only accept email with valid
stamps and then I say "forthwith stamps signed by Dewey, Cheatem, &
Howe are not valid and will be rejected" then oh well, I guess Mr
Spammer who uses Dewey, Cheatem & Howe is out of business.
The key to all this spam nonsense is not that you could choose to
accept the spam, of course you can, the key is creating a way that you
can (reliably) choose NOT to accept it.
Of course, add in the economic motivation and the game gets a little
more serious.
If the ISP et al is being paid a cut of the postage they accept,
perhaps in the simplest case even as just debray of their own postage
costs, then they're motivated not to accept from cheaters.
Not because they're cheaters only, but because a cheater WON'T BE ABLE
TO PAY!
You'd be like a bank issuing credit cards to really bad
customers. Good luck! How ya gonna pay the merchants if you keep that
up?
So to some extent, and at some point, it's self correcting.
You just left out the money part. The money part is really, really
important, just as it is with paper mail postage.
If Pitney & Bowes could sell you postage meters which didn't really
check how much you used sure they'd get popular! But I suspect their
business model would fail soon enough. Among other things the post
office would refuse to let them continue doing that, but therein it's
a slightly different situation. But suffice it to say the economics
couldn't work.
Experience suggests that you'll have to be really horrible to have
that happen, and even if half of the recipients blackball you, the
other half will still be delivering a lot of spam.
Again, toss the economics back in and see if you still believe that.
Spamco isn't paying postage just to make Dewey, Cheatem & Howe
(heretofore DCH) epostage meter company rich. They're paying it so DCH
can pass part of that postage towards the recipients. We're creating
an ecosystem here.
If DCH is allowing customers to fraud how do they pay their
settlements?
Again, let's go back to the SSL cert example.
Bad guy gets an SSL cert...Stop! Not so easy.
You're kidding, right? When's the last time you got an SSL cert? I
happened to get one for my sister yesterday. I looked around to find
out who's the cheapest, found someone selling them for $12.95
Ok, see again there are N facts and you base your argument on N-1 or
N-2.
Since spammers need zombie bot armies to achieve IP mobility,
otherwise we'd just block their servers and be done with them, they'd
have to have a valid "cert" for each of the million zombies.
Even at $12.95 per each a million gets pretty expensive!
I think part of what we keep putting out of our minds is:
How MUCH of an economic disincentive would it take to put the
zombie bot army spammers (I am so glad to live in a world where I
can use that phrase!) out of business?
I say: If it were even superficially enforceable? Not much!
But it's hard to say what that number is exactly.
My instincts say add $100K or so per year to their costs and they'd go
back to kidnapping people's pets for vivisection experiments or
whatever they used to do for a living.
Maybe it's more. Maybe it's less.
I'm pretty sure $1M/year is way beyond their means.
I know, you want to talk about enforcement right here.
But let's try to focus on what a goal might be?
I suspect, how could we measure this?, that there'd be some
exponential drop-off of spammers probably starting at a pretty small
number: Force them to pay (this is all additional to their current
costs) $10K/year and maybe 50% are gone, $100K/year, 90% are gone,
$1M/year, 99.9%, maybe even so close to 100% it's not worth debating.
Anyhow, that's something like a goal with numbers even if only
estimates, it's a mathematical model I don't think I've seen before.
(servertastic.com), paid with a credit card which, since I am honest,
was actually mine, clicked through on a URL in an email message sent
to postmaster@<cert domain>, and got the signed cert, in a total of
about five minutes. If I did it very often, I could easily have
scripted it. This is the reality of Internet security today.
In the cert biz, they now have "high security" green bar certs which
roll the clock back to the price and somewhat more stringent
investigation that all certs required a decade ago, but it's just a
matter of time before those race to the bottom, too.
Well, I think I answered this.
puts each of them on 100,000 pieces of mail and blasts out 10 million
spams to random recipients. Are you assuming that each stamp would be
keyed to a particular message and envelope? That's sort of what
Goodmail does, although it's rather hard to make it tamper-resistant.
It wouldn't be valid, it wouldn't pass superficial checks by the
receiving MTA, any more than a bad SSL cert would pass superficial
checks by a browser.
I think it's reasonable to assume that bad guys will be able to crack
any software based meter. (An obvious attack is to snapshot the newly
installed meter and restore the snapshot whenever it runs out of
money.) Are you expecting meters to include tamper resistant hardware?
That's not out of the question, but it raises the price, and it's hard
to think of a situation where widely deployed tamper resistant
hardware in hostile environments has resisted attack.
No, no special hardware, I take that as a given. I can't say that at
some advanced point that, just like crypto chips, something might be
sunk in hardware but that oughtn't be a pre-requisite.
But their opportunity to crack these software meters should be roughly
the same as their opportunity to crack SSL certificates. That would be
a reasonable first goal.
I'm not saying that it's hopeless so give up, but I'm definitely
saying that any proposal that depends on large numbers of people
acting against their very short term interests is unlikely to work.
Even if those interests include money?
A lot of the motivation here is to create an economy around email
which works against spammers, both explicitly (difficult to forge
postage) and implicitly (motivates and pays for enforcement.)
--
-Barry Shein
The World | bzs(_at_)TheWorld(_dot_)com |
http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg