ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How Not To Filter Spam

2004-02-21 08:14:58
from [Iljitsch van Beijnum] [Permanent Link] 
On 20-feb-04, at 15:32, Robert G. Brown wrote:


It is useful only if you only get mail from a small, closed group of
people, almost by definition, as I think Vernon and others have pointed
out.
Well, I don't know about you, but I _do_ get mail from a small, closed group of people. I also get mail from a large, open group of people, and I grant you authenticating them is too much trouble and leads to too little gain to bother. But I think authentication mechanisms would be very useful for interactions that fall between those two groups. For instance, just now I got a few more spam messages that claim to be security notices from my ISP. It's pretty obvious these aren't, but that's not always the case. I don't understand why ISPs and ecommerce sites such as Amazon don't sign their mail. Or closer to home: the IESG, IAB, RFC Editor and so on. 


I get mail from friends of friends, from relatives who
are completely clueless about technology in general and who would run
screaming at the very mention of the words "electronic signature" or
"encryption" (unless of course it were integrated into Microsoft
Outlook).
While the math behind public key cryptography is pretty intense, and the protocols aren't too pretty look at, the way it is applied doesn't necessarily have to be all that hard to understand.
Obviously implementations (and some of the protocols) need to mature, but this is happening as we speak. For instance, Apple's mail application automatically handles incoming S/MIME signatures without the need for the user to do anything special. Microsoft has a system in place where they authenticate certain software. 


Most of this is mail that I could care less about being
signed -- I wouldn't bother to validate the signature at all if it were
and there was ANY WORK AT ALL involved in doing so.
With Apple Mail there is a big problem of how to get a certificate, but once you do it simply works unless something bad happens and then a big old yellow banner pops up warning the recipient that the message couldn't be authenticated. 


This is all about cost-benefit and the realities of the messy, chaotic,
ignorant world of mail users the world around.  In nearly all cases the
cost-benefit of signing or encrypting all messages and maintaining
strict, reliable lists of ALL your correspondants' keys is
overwhelmingly negative.
Hm, this is basically what happens for HTTPS... Seems to work most of the time.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  TCP over IPSec ESP??, chintan sheth
Next by Date:  Re: is there any other alt. hotel for IETF, James Seng
Previous by Thread:  remote memory server transaction link protocol ?, jfcm
Next by Thread:  Re: How Not To Filter Spam, Robert G. Brown
Indexes:  [Date] [Thread] [Top] [All Lists]