Re: New incompatible Tricks promotes change

On Dec 6, 2007, at 2:06 AM, Hector Santos wrote:

> Change promotes chaos which strives for equilibrium which instigates  
> a new round of survival of the fittest, deviation and imperfection,  
> thus the cycle begins again.
> Trick XYZ requires change like any other trick. If change is what we  
> want, IMO your particular trick no longer applies - there are by far  
> more simpler solutions.
> SMTP v3.0 needs registration and enforcement ideas.  Thats all - two  
> fundamental ideas that we are very careful not to revisit again.
Hector,

Even when everything is authenticated, some type of temporal, opaque  
identifier is needed to deal with repeatedly abusive sources.   
Registration serves as a means to rate-limit abuser access, but that  
is not a complete solution.
TBR allows offering "questionable" transmitters a choice -

1) Receive a temp error, or

2) Provide a nonspoofable, content immutable, and opaque source  
reference
The TBR reference does not require receivers to expend resources  
associated with obtaining keys, cryptographic analysis, obtaining  
extensive address list of all hosts used on behalf of a domain, or  
investigating all permissions at every hop.  Bot nets are making  
receiver resource intensive analysis impractical, to say the least.
Expect registration and enforcement to be the role of different  
parties.  Don't expect email providers to proactively play the role of  
enforcer.  They naturally have conflicted interests with a desire is  
to attract as many users as possible.  A large number of users in  
itself, allows, and may invite, lax enforcement.  Those offering  
access to services often operate at thin margins where customer  
support represents a substantial component of their overhead.  Dealing  
with a compromised system often requires hours of labor and a high  
level of interaction.
There are lucrative business models for either party, however SMTP  
currently and significantly lacks a means for fine grain enforcement.  
The interests of those offering registration are significantly  
different from those attempting to keep lines of communication clear.   
Those offering email services and those blocking abuse should not be  
seen as being adversaries.  The latter is more prone to DDoS attack  
where it is very much in their interest to keep the number of  
compromised systems in check.  As such, they offer notification with a  
place to go for resolution, many such companies even offer free  
remdiation.
TBR is not a trick defeated by changing a message's format.  TBR can  
not be defeated by lying about some header within the message.  TBR  
does not depend upon _anything_ that would give the transmitter an  
advantage over that of the receiver.  In that sense, TBR can remain a  
long term solution unlike most other efforts or proposed solutions.   
By not having any identifier with a granularity smaller than the  
domain or the client's IP address, too often those providing  
enforcement have created problems for the providers.  This tends to  
put them at odds.  Levels of abuse can be expected to rise unless  
finer grain enforcement becomes possible.  After all, we all want to  
get along.  Sounding a bit like Jerry McGuire, help us to help you.
TBR offers a fine grain, opaque, identifier at an extremely low  
resource cost from the perspective of the receiver.  TBR is NOT about  
conserving the Internet.  TBR is about providing an effective and  
scalable mean of enforcement which acknowledges the different roles of  
transmitter and receiver, or email and anti-abuse provider.  TBR is  
not a clever trick.  It is dead simple and can be very effective.
-Doug