On Mon, 2005-02-14 at 04:45 +0000, John Levine wrote:
Without a revocation mechanism, it remains _impossible_ to be responsive
to spam already signed and being sent in bulk.
I don't know about you, but I would rather that people respond by
stopping the outgoing spam run than by running around and trying to
unsign mail that's likely already been received.
John, you seem to be insisting reputations should be based solely upon
the weaker IP address, rather than considering use of a signature for
this purpose.
- With a valid signature, when there is abuse, there is little doubt
which domain is accountable.
- With a signature and a revocation identifier, less effort is needed to
locate a problematic account.
- With a signature and a revocation identifier, cessation of abuse can
be comparable to closing an account.
- With a signature and a revocation identifier, filter information will
not need to be collected and then dispersed to afford protection.
A signature ensures clear accountability by way of name, rather than an
IP address, upon which to base complaints. Without a method to revoke
message authorization for an account, the alternative to protect the
reputation of a signature is rather onerous. Your suggestion was
per-user keys requiring gigabytes of data for large domains. To be
effective within a short time-frame, short TTL values would be needed
when publishing this huge amount of data.
Unless there are effective abuse deterrents, signatures will be abused
and will remain worthless as a basis for reputation. Signatures are
stronger than reliance upon an IP address, but requires a two step
process to be suitable for larger domains.
- Is the signature valid?
- Has the account been revoked?
Smaller domains can forgo account checks by not including the revocation
identifier when they are not experiencing account abuse. This could
change should they discover a few of their user's desktops have been
compromised. A revocation-identifier scheme would be easier to
implement post-haste than would per-user keys. Impact upon network
infrastructures would be far less disruptive as well.
Signatures offer a stronger method to protect reputation. This strength
is lost without a means to revoke implied authorization. A steady
stream of abuse from a signing domain can not be excused because,
without a revocation mechanism, they must wait weeks for keys to expire.
There are reasons for desiring the greater strength of signatures, but
there is not an excuse for a flood of spam granted by way of the
signature. Either signature reputation is NOT USED, or it must be
defend-able. Per-user keys is a poor solution in comparison to a
revocation-identifier.
-Doug