And a point which is deliberately ignored is the problem of 0.10 USD
throwaway domains and short-TTL bot networks. Yeah, I know,
this will be solved anytime later with accreditation services.
I agreed with you on every point you brought up until you got to here.
And then I agreed with you on every point.
This is a sore one for any domain-based verification system. Throw-away
domains, forged sub-domains and such are going to happen as soon as this
takes off. I wish domain vendors were better about this sort of thing but
we're going to see spammer-friendly registrars no matter what this group
comes up with.
What will happen though, is there'll be a chain of accountability. Or a web
of accountability, if you wish, to compare with a web of trust. You will be
able to hold someone responsible for the forged e-mail, wether it's a
clueless administration that whitelists the entire net for their domain, a
clueless administration with a 0wnzd server, a clueless registry, a
deliberately malicious registry, a spam enterprise, or whatever.
It's still going to be up to recipients to decide to hold senders
accountable.
Hm, perhaps that belongs in the Security Considerations section of
marid-core. That this technology only effectively points fingers, and it's
still up to recipients to act on who's being fingered, er, pointed at.
--
PGP key (0x0AFA039E):
<http://www.pan-am.ca/consulting(_at_)pan-am(_dot_)ca(_dot_)asc>
Sometimes it's hard to tell where the game ends and where reality bites,
er, begins. <http://vmyths.com/resource.cfm?id=50&page=1>