OK, so what happens when someone else uses my address, perhaps using
my passport, captured from some mail sent by me to someone?
I think the term of art is "being Joe Jobbed".
Every now and then, I get a bounced report that claims something I sent
is being returned, but it was not sent by me. This "something" is most
often spam sent to someone else. Sometimes it contains a virus.
Apparently this is a trick to get me to open it.
Anyway, I think your Passport Scheme needs some more work.
Cheers...\Stef
At 11:50 +0100 6/6/03, Graham Klyne wrote:
At 12:12 05/06/03 -0700, Hallam-Baker, Phillip wrote:
A spam sender could attempt to use disposable certificates in the same way
that IP addresses and dialup accounts are considered disposable. This is
unlikely to work for long, the spam sender can set up lots of shell
companies at the same address but if the CA keeps authenticating to the same
address or phone number the pattern will soon become apparent.
Hmmm... is there an economic play here?
<background>
First, briefly, my view of the spam situation. I don't think it's
fundamentally an Internet protocol design issue (though some design tweaks may
help). Essentially, I think people currently have the choice of
(1) putting filters in place and accept the loss of some non-spam mail, or
(2) accepting a deluge of spam, and not lose any mail. In practice, I think
this option doesn't exist, because I find that (lacking spam filters) I do
lose a few pieces of non-spam mail because I don't recognize the sender or
subject. So I see a way forward to be a "passport" mechanism to reliably
bypass automated spam filters, a kind of whitelist++.
</background>
So back to my question: is there an economic play here?
(I was offered the opinion once that a big *disadvantage* of email compared
with fax for business transactions was that it has almost zero incremental
cost of use.)
I'm thinking of a cert issued for a small sum of money, without any
authentication other than the purchaser promises something like "I promise not
to spam with this certificate". At the earliest evidence of it being used for
spamming, it is revoked. The price should be small enough to be accessible to
any reasonable person, but high enough that the bill for daily or hourly
renewal would become significant.
Maybe crazy, just thinking aloud...
#g
-------------------
Graham Klyne
<GK(_at_)NineByNine(_dot_)org>
PGP: 0FAA 69FF C083 000B A2E9 A131 01B9 1C7A DBCA CB5E