Paul writes:
s/mime relies on the x.509 pks industry which in is turn based on the goal
of enriching a small number of ca's who have to pay for relationships to
browser/useragent vendors who then make the certs worthwhile
Hmm and the cost of MAPS would be?
It costs money to perform authentication and issue certificates, less than
the amount charged for but the total cost to the end user in terms of time
is still significant and in the case of spam control you have certified the
wrong party.
The party that is generally held responsible for users actions is the ISP,
not the user. So that is the level at which you want to certify, not the end
user. S/MIME is not designed to do the job being proposed here. You want to
hold the ISPs responsible, there is no point in having greater granularity
in your authentication system than you intend to use in the revocation
system.
I don't know what a class 3 cert for an ISP would cost but I would guess
rather less than is charged for MAPS these days.
Phill