[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of
Michael Thomas
I agree. I think that the thing that really ought to
be proven here is whether "replay" is a real threat or
not. At this point, it is purely academic and I think we
have a pretty spotty track record of determining what the
miscreants next steps will actually be.
You might. But actually the events of the past few years have been tracking
some predictions pretty closely.
Sure the bad guys will respond with a replay attack at some point, but as has
already been explained at some length it is a softball attack that is not going
to tax anti-spam schemes of any scale.
The principle challenge in establishing a free anti-replay scheme is that
generating the critical mass to redo DCC in an open fashion without the
censorship issues is not really going to be possible until after the attack
occurs. But by Web standards it is not a very difficult or complex
collaboration.
I do NOT want to start on a standards effort for that area NOW because there is
another area that is growing rapidly that might well provide some important and
useful leverage. If you have been following blogspam you will know that comment
and trackback spam are big issues for the blogosphere. Moreover the naïve DCC
approach is an absolute non-starter in such a partisan environment.
While I do not want to prejudge the technology infrastructure that is applied
to control blogspam it is pretty clear that the final solution will look
something like a federated version of the slashdot moderation scheme. I don't
at this point know if the federated identity scheme would be based on SAML,
WS-Federation or something else entirely. Nor would I at this point take a
stand insisting on a particular approach.
Although I am pretty confident that we can anticipate the attack profile for
the next 2-3 years with reasonable accuracy I am not yet at a point where I
would want to make any commitment to what the technology infrastructure for
meeting that attack profile will be.