John,
You have a valid point, and I tend to lean in this direction as well. The
problem of ISP user's getting infected in the first place is a different
problem all together.
Regardless of MASS, there is a level of new responsibility and new
liability for the ISP to have a "Clean Up" process before it attempts to
stamp or verifies a message OK for further distribution or reception.
As of last year, Canada had a bill pending that will require all commercial
ISPs to install an AVS system. Not having one made could make this liable.
For the US, it is not improbable for a mal-practice litigation to occur for
a major ISP who MASS stamps a "problematic" MUA message.
So MASS or no MASS, a clean up process has to be done.
For this reason, I believe the Security Review "infrastructure" change
analysis were not fully realized when considering MASS to be a process to
legitimize a transaction. To do so, every entity in the loop has to be part
of the process.
Of course, we can keep it as a endpoint to endpoint only concept, and let
the middle ware do its job regardless of content provider.
In any case, on a related note, MASS needs to seriously address the broken
message issue. The idea that a stamped message can be easily be broken
lowers its effectiveness. The last thing we want is a MSA or MDA accepting
a broken message even if its moved into a spam folder. If a MSA stamps a
message, it must maintain its integrity unless it was intentionally broken
and/or there is a broken software somewhere in the loop that needs to be
replaced. We don't want the user getting use to the idea of accepting mail
from a source that is always broken. "Oh, that's how it is with mail from
these people."
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
----- Original Message -----
From: "John R Levine" <johnl(_at_)iecc(_dot_)com>
To: "Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org>
Cc: "MASS WG" <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Sunday, February 06, 2005 10:32 AM
Subject: Re: MASS Security Review document
While the primary goal of adding an opaque identifier would be to
prevent replay abuse, it would also facilitate an alternative to
blocking an entire site with millions of users, where perhaps the
majority of these users have systems that are compromised.
As I said in my previous message, I actively do NOT want to make it easy
to do that. It's up to the sender to send mail legitimately. It is not
up to the recipient to do the sender's filtering for him, and the easier
we make it, the easier it is for lazy ISPs to say "we don't have to deal
with our zombies because the recipients can do it for us." If you don't
believe that's what some of them already think, ask AOL.
I agree that ISPs need help dealing with their zombies, but it's important
for us to give them tools to help identify and get rid of the zombies, not
to live with them.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for
Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.