on 5/30/2003 12:05 PM Vernon Schryver wrote:
None of the even slightly plausible anti-forgery proposals have even
the slightest believable effects toward enforcing the use of known
identities.
They don't have to be "known" identies to provide accountability measures,
they only have to be verifiable. The proposals that even I think are too
complex are the ones that require the use of "known" identities
(exchanging tickets, bilateral postage agreements, etc).
Simply limiting the information to a "verifiable" scope can provide
sufficient levels of accountability. For exmaple, allowing self-signed
certificates but restricting their acceptance to the same mail domain
would provide some baseline measure of verification (DNS lookups), and
would provide some level of accountability (through the DNS domain
delegation information), and would provide additional strenght to the
available enforcement options. None of that requires "known" identities
(btw, I'm not ready to propose that usage model, just laying it out as an
example of how "known" identities aren't necessary to achieve a goal of
accountability through verified paths).
No anti-forgery proposal has included anything that would
inconvenience a spammer that wants 10,000 "known identities." No price
on certificates or any other mechanism can be low enough to be
tolerable by users but high enough to determine that the next new
account an ISP sees is not a known spammer with a new name, adresses,
and valid credit card number.
First of all, I think this is really an argument for legal options. I've
already stated that I don't think the spam problem in particular can be
"fixed" in the absence of legal enforcement options.
Secondarily, if we wanted to be productive (forward-moving) on this
particular subject, we should be discussing the mechanisms that would be
needed and/or useful towards making the necessary retrieval, comparison
and enforcement functions useful, and which would in turn make any of the
available enforcement options useful. I don't find the current absence of
credible services (WHOIS is currently useless) to be a compelling argument
against their eventual presence (WHOISng may be more useful), nor as
compelling arguments against their subsequent integration with other
services (integration between a WHOISng and an SMTPng for locating all of
the domains associated with a known offender, as one possibility). We
already know we're going to need some kind of identification mechanism, so
what else would we need as part of that?
The first step in that means weakening the ability to use forgery
techniques as a shield, but that's just a start. It should also help
against some of the prevarication you describe above, since there
would be less room for waffling if recipients were able to "prove" by
verifiable transfer-path analysis that a particular node had
absolutely sent some piece of spam. ...
That should sound like the mistake it is in a more or less technical
setting like this. There has never been any lack of a "verifiable
transfer-path analysis that a particular node had absolutely sent some
piece of spam" unless you believe that spammers use initial sequence
number prediction to forge IP addresses. You always know the IP
address of the SMTP client, even if it is a relay or proxy. ISPs could
and should hold operators of open relays and proxies accountable for
sending the spam their systems send.
Conceding that "ISPs could and should hold operators...accountable"
doesn't dismiss the claims, and neither does the rest of your text.
Preventing the use of proxies through verifiable end-system identifiers is
one of "the first steps" I referred to. The problem would mostly move into
the relay and direct-sender space, but those uses could be dealt with much
more aggressively given the "proof" that would be available afterwards;
the range of enforcement options are all strengthened by better proof. The
original claims stand, despite your concession and fist-waving.
Secondarily, there is another class of user where forgeries are
problematic in their own right, which is outright impersonation
and/or fraud, and in that context the anti-forgery capabilities would
stand as a unique benefit. However, the enforcement options which
were made available to those users as a result of the accountability
features would be no less compelling to those users if forgery were
attempted and caught.
Please point out a single such case where header forgery was not
obvious and that needed or could have used any extra machinery.
In 1993, Adelyn Lee won a $100,000 wrongful-termination settlement against
Oracle, partially using forged email between her superiors as evidence.
Four years later the forgery was exposed, but the evidence that did her in
was testimony, log files, and cell-phone records, not the email message.
It seems obvious to me that a mail system which offered the kinds of
accountability features we're talking about and which cost less than the
settlement costs, corporate personnel and legal fees would have been well
worth the expense to them.
http://www.wired.com/news/technology/0,1282,9641,00.html describes three
different instances of fraudulent misrepresentation of Yahoo, any of which
would have been ameliorated with half-decent identity information which
clearly indicated the user was a customer and not an employee of Yahoo.
I've no idea what the dollar cost to Yahoo was, but the legal time alone
couldn't have been cheap, not to mention the economic impact from loss of
credibility.
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/