At 12:40 06/06/03 -0700, Einar Stefferud wrote:
OK, so what happens when someone else uses my address, perhaps using
my passport, captured from some mail sent by me to someone?
I think the term of art is "being Joe Jobbed".
Every now and then, I get a bounced report that claims something I sent
is being returned, but it was not sent by me. This "something" is most
often spam sent to someone else. Sometimes it contains a virus.
Apparently this is a trick to get me to open it.
I see a couple of differences: re-using someone's email address is easy
... I've had a flurry of 'bounces' recently for messages I certainly did
not send. But the information to send those (deceitful) messages is very
easily obtained.
By putting some of the information behind a cryptrographic screen, it
becomes harder for others to casually use it.
And if security is compromised, then the cert gets revoked and the genuine
owner has to buy another one. Hey, don't we occasionally lose theatre
tickets? Tough, but not disastrous -- we just have to buy another one.
Anyway, I think your Passport Scheme needs some more work.
I'm sure it does!
#g
--
At 11:50 +0100 6/6/03, Graham Klyne wrote:
>At 12:12 05/06/03 -0700, Hallam-Baker, Phillip wrote:
>>A spam sender could attempt to use disposable certificates in the same way
>>that IP addresses and dialup accounts are considered disposable. This is
>>unlikely to work for long, the spam sender can set up lots of shell
>>companies at the same address but if the CA keeps authenticating to the
same
>>address or phone number the pattern will soon become apparent.
>
>Hmmm... is there an economic play here?
>
><background>
>First, briefly, my view of the spam situation. I don't think it's
fundamentally an Internet protocol design issue (though some design
tweaks may help). Essentially, I think people currently have the choice of
>(1) putting filters in place and accept the loss of some non-spam mail, or
>(2) accepting a deluge of spam, and not lose any mail. In practice, I
think this option doesn't exist, because I find that (lacking spam
filters) I do lose a few pieces of non-spam mail because I don't
recognize the sender or subject. So I see a way forward to be a
"passport" mechanism to reliably bypass automated spam filters, a kind of
whitelist++.
></background>
>
>So back to my question: is there an economic play here?
>
>(I was offered the opinion once that a big *disadvantage* of email
compared with fax for business transactions was that it has almost zero
incremental cost of use.)
>
>I'm thinking of a cert issued for a small sum of money, without any
authentication other than the purchaser promises something like "I
promise not to spam with this certificate". At the earliest evidence of
it being used for spamming, it is revoked. The price should be small
enough to be accessible to any reasonable person, but high enough that
the bill for daily or hourly renewal would become significant.
>
>Maybe crazy, just thinking aloud...
>
>#g
>
>
>-------------------
>Graham Klyne
><GK(_at_)NineByNine(_dot_)org>
>PGP: 0FAA 69FF C083 000B A2E9 A131 01B9 1C7A DBCA CB5E
-------------------
Graham Klyne
<GK(_at_)NineByNine(_dot_)org>
PGP: 0FAA 69FF C083 000B A2E9 A131 01B9 1C7A DBCA CB5E