On Fri, 2005-01-14 at 17:02 -0500, James Galvin wrote:
--On Friday, January 14, 2005 12:18 PM -0800 Douglas Otis
<dotis(_at_)mail-abuse(_dot_)org> wrote:
This makes DNS the ideal place to store the keys and it scales well,
since the "site" is known by its domain.
The point was not wanting to wait for a key to expire used by many
accounts. Such a key will likely be retained for more than a week to
ensure delivery of mail. A spammer could send themselves the various
spam they wish to distribute and, even if the account is closed, they
could send millions of copies of these messages from elsewhere and
receive confirmation until the expiration of the key. A spammer would
only need 50 accounts to continue their spamming for year by abusing the
signature. Without being able to immediately respond to a problem,
defending the signature's reputation or seeing a benefit from the use of
a signature would be made difficult.
I don't believe we need key revocation in order to "reject" a message.
Assuming you don't want to reject a site, when the signature for the
submission hop verifies you could have an opaque user identifier. You
simply reject based on that.
This approach does not allow a high profile signing domain a means to
defend their reputation. Rather than a centralized distribution of
canceled account information, you are suggesting millions of recipients
rapidly collect this information by way of indirect means, rather than
from this authoritative source. Should the provider rapidly respond to
abuse reports and utilize a canceled account reporting mechanism, this
signature and the reporting mechanism will ensure their domain is not
used in an abusive manner. The reporting mechanism itself could act as
an abuse alert.
By not providing a mechanism for the signer to communicate their
discovery of an abusive account, the time for this information to filter
out to millions of potential recipients by other means will take as long
as a key takes to expire. In other words, not having a reporting
mechanism ensures responding to spam is expensive and ineffective.
To be an effective deterrent, the response must be fast. The speed of
this response is critical, and waiting for a third party (the IT
administrator perhaps) to deal with a problem where they must expend
their resources, then the damage is already done. This cost is not
small. Signatures offer the opportunity to effectively leverage a
centralized authority, where responses could be measured in minutes.
The saving would be very real.
-Doug