ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Accreditation NON-Proposal

2004-03-17 11:42:42
from [Gordon Fecyk] [Permanent Link] 


From: Hallam-Baker, Phillip [mailto:pbaker(_at_)verisign(_dot_)com]


I believe it's high time for assuming "negative 
accreditation" and asking questions later.  


The meaning I am attempting to attach to accreditation
is that it is a statement provided by a third party. 


OK, this is "gut feeling" but it is based on the experience I've ranted about
before.  I don't believe *implicitly* accepting statements from a third
party, about accreditation, will be accepted by e-mail users or
administrators.  Explicitly accepting statements is different (ie: MAPS)[1]
as that's the recipient deciding.

I'd hate to cite Habeas as an example because I thought they were good people
with good intentions, but they're the best one to cite as a third-party
accreditation authority gone wrong.  People trusted this third-party right
until spammers started faking the Habeas headers and *getting away with it.*
After that, people started using the headers for filtering as abusive e-mail.
The only proof I can offer of this right now, is the noise in SPAM-L about
Habeas and a couple of links from sites whose administrators are effectively
flipping Habeas off:

<http://www.topline-creditcards.com/habeas-lawsuit.html>
<http://www.howtocorp.com/cgi-bin/webbbs_config.pl/noframes/read/1527>

If you dig around in Google you'll find plenty of other examples.  Search on
"Habeas lawsuit".

You could throw all kinds of cryptography behind a third party's
accreditation but I see them subject to vulnerabilities of their own, along
with export controls and so on.  No less vulnerable than DNS, except domain
admins control their own domain's DNS and can answer for many of the
vulnerabilities, as opposed to waiting for the third party to fix theirs.


But I would certainly accept that we need to change the
equation, assume all email guilty until proven innocent.


Agreed.  Then it's a matter of how to prove innocence.  For me, the sender
(domain) demonstrating accountability is enough.  I'd want that demonstrated
by the sender (domain) and not by a third party however.

[1] These are after-the-fact anti-spam as I've explained, the point is the
receipient explicitly decides to use them.  Only one major backbone used one
of these things to block on their routers and I suspect they lost customers
over it.  But that's speculation.

-- 
PGP key (0x0AFA039E): 
<http://www.pan-am.ca/consulting(_at_)pan-am(_dot_)ca(_dot_)asc>
What's a PGP Key?  See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Accreditation NON-Proposal, Hallam-Baker, Phillip
Next by Date:  RE: Accreditation NON-Proposal, Hallam-Baker, Phillip
Previous by Thread:  Re: Accreditation NON-Proposal, Jeremy T. Bouse
Next by Thread:  Re: Accreditation NON-Proposal, John Leslie
Indexes:  [Date] [Thread] [Top] [All Lists]