From: Paul Vixie <vixie(_at_)vix(_dot_)com>
...
computational cost diversity problems, with or without other problems. my
children are relatively wise in the ways of the world but the age at which i
want them to have ibcs(*) access is lower than the age at which i'd be
comfortable letting anyone with hashcash in their pocket send us traffic. so
while hashcash might be a form of trust for some, it wouldn't be one here.
Why would you trust or even both with "ibcs"? Why not just configure
your children's mail system to accept only mail that is signed with
any of a handful of cryptographic keys, using S/MIME, PGP, or whatever?
That solution is currently available only to a very few people, but
fixing that needs only modest work in user interfaces and no effort by
the IETF. Some browser-MUAs can already be used to click on a URL to
add a certificate to a private, trusted list. What would be wrong with
having the controls on your children's browser-MUAs locked with a
password that only you know, and then visiting the web sites of tour
children's teachers and sites of (the parents of) their peers to add
keys (certificates, or whatever) to a list of trusted senders?
] From: Paul Vixie <vixie(_at_)vix(_dot_)com>
] ...
] > The little I've understood is that you've said something about "mutual
] > consent" and vendors or notaries of the same, which for me evokes
] > "like Verisign?" and a little more best unsaid.
]
] no, not like verisign. in <g3llwdraz3(_dot_)fsf(_at_)sa(_dot_)vix(_dot_)com>
i wrote as follows:
]
] | s/mime relies on the x.509 pks industry which in is turn based on the goal
] | of enriching a small number of ca's who have to pay for relationships to
] | browser/useragent vendors who then make the certs worthwhile. that can't
] | scale and hasn't scaled, other than in the case of server certs. no way
] | will the average user be willing to pay money for a personal cert signing
] | if the companies on the list have all spammed them.
] ...
That Verisign is an industry pioneer and continuing leader in unsolicited
bulk commercial advertising is irrelevant. Ethical outfits would not
suffer that problem. The main problem is what you touched on by
talking about the x.509 pks industry. The problem with third party
signers, notaries, and so forth is that at the price points that people
will pay in time and effort as well as money, the third parties cannot
do a competent job or anything useful.
People insist on using Outlook and Outlook Express instead of MUAs
that are not designed to be user friendly virus and worm transports.
They can't even be bothered to lock down their "security preferences."
I can't imagine people going to the equivalent of the trouble of
finding an old fashioned notary and paying $3 to get their keys or
whatever registered.
Note that those who know apparently don't trust old fashioned notaries.
Why else does the U.S. stock and bond industry refuse to use ordinary
notarized signatures? From what I've seen, the few financial institutions
that can certify your signature on a stock certificate or similar
paper work are also ordinary notaries.
The problem is not lack of interest in the IETF, but among users.
Some of us are obsessed with some dangers, but most people have more
balanced views. Most people don't pay any attention to the current
terrorism color scheme. They did not buy generators and flee to the
woods to wait for the collapse of civilization due to the Y2K bug.
Only a few people in the military and civilian police prepared for
the great wave of terrorism that was supposed to sweep the nation
during the 1976 Bicentenial celebrations. (The U.S. Army Reserve unit
in which I was working off my draft dodging was one.)
People who are really vulnerable to "nonconsensual communications"
such as your children can use whitelists to better effect than any
sevices from third parties.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com