But that means that stamps are not interchangeable. You can't buy
them or generate them in advance, or at least not in bulk, in
advance. Instead you have to purchase them (from one of a small
number of "banks") at the time you send the mail as well as redeem
them (from that very same bank) later.
Right -- we've just moved the bottleneck from cashing the stamps to
generating the stamps.
But actually, we haven't moved it, since the bad guy can use the same
stamp to send multiple spams to the same victim unless the bank also
cancels the stamps.
The idea of an expiration time is not terrible, but now it means that
we're putting a hard limit on how slow a recipient system can be and
not lose valid mail due to expiring stamps. There's a tradeoff
between replay prevention and lost mail that I doubt has a satisfactory
resolution, since it's not hard to send dozens or hundreds of messages
a second, but an unavailable system is often unavailable for minutes
or hours.
If you allow senders to redeem unused expired stamps, now you have yet
another race condition of trying to use a stamp and redeem it within a
small interval around the expiration time.
It would be really nice if anyone suggesting a postage scheme do at
least a rudimentary threat analysis like this, what are likely ways
that bad guys will try to defraud it, what are the countermeasures,
and how expensive are they.
R's,
John
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg