So by using DNS we've already addressed this particular
problem. Wether the
domain itself is trustworthy or not, I believe, is not the
decision of any
central authority or array of loosely centralized
authorities. The recipient decides.[1]
The problem with this approach is that it means that you can only
have negative accreditation data.
I disagree. The current proposals *assume* negative accreditation but the
sender domains publish positive accreditation. It's that information that
lets the domain control how their domain is used.
That's actually the point of all this. A SMTP server trusts everyone by
default, and we've gone to great lengths to block abusive e-mail *after the
fact*. Yet we continue to accept abusive e-mail by default.
This get you into the problem of trying to police the entire net
which as MAPS and SPEWS prove is impossible to do well.
I won't argue this. Projects like those can only catch abusive mail and
senders after the fact. It's why I started looking at before-the-fact
approaches and I believe Hadmut, Meng and Raymond etc were similarly
motivated.
I believe it's high time for assuming "negative accreditation" and asking
questions later. Those questions, and corresponding answers, are what the
current proposals are about. I once suggested: "spammer until proven
innocent." I should generalize that to: "If I don't know you[1] you're not
welcome." There are so many real-world analogies to it that I can't list
them all here.
[1] My accepted value of $knowyou in this case, is, "Are you really who you
say you are?" or authentication, and "are you allowed to do this on behalf of
who you say you are?" or authorization.
--
PGP key (0x0AFA039E):
<http://www.pan-am.ca/consulting(_at_)pan-am(_dot_)ca(_dot_)asc>
What's a PGP Key? See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>