From: Paul Vixie <paul(_at_)vix(_dot_)com>
...
we are eventually going to be able to tell whether a message was generated
by someone who was present and gave consent, or whether it's just wormware;
and whether the owner of an ip-using device intends to act as a mail server;
and whether a bond has been posted by this present/consenting sender and if
so how much; and whether there exists or not a trust path from the sender,
through their bank or school or employer or insurance company to the
recipient. the internet doesn't care what your meatspace identity is and
anonymity is a necessary way of life -- but we do care very much whether
transitive trust exists. "who you are" matters less than "who you know",
and this is true not just for messaging but also for web service accounts and
passwords, for trading and payments, and for so-called "social networking."
The trouble with that is that trust is not and cannot be made transitive.
There is a finite chain of people that connects you with anyone you
care to name, with each person asserting any sort of trust you want
for the next person in the chain. The chain that connects you with
Al Ralsky for the trust operator "the next person to corrently identifies
people" is probably shorter than 6 people. The chain that connects
you with Ralsky for "next person to does not spam" is probably longer
than 6, but shorter than a couple dozen. Even worse, the chain the
connects you to Al Ralsky for "the next person is not Al Ralsky" is
probably shorter than the first, short chain.
The notion of transitive trust makes as much sense as assuming that
all of the keys on the key rings of the people who will be signing PGP
keys at the IETF this week are of people who you can trust to not send
you mail you'd not want.
In the real world, there is nothing like transitive trust. That's why
it is so hard to cash third-party checks. The closest you can get to
transitive trust is something like the check clearing system, which
has only about 5 parties, with three (the two banks and the Federal
Reserve) so entangled that they can be considered a single outfit.
And check forgery remains a major problem.
If transitive trust could be made to work, then government security
clearances would be easy. If it could work, we would have more than
3 credit reporting agencies, and we would not have so much machinery
to deal with their errors. If transitive trust cannot be made to work
for those cases where there are major penalties for cheating, how can
you expect to make it work for mail, which no one values at more than
$30/year/seat?
You might say that you don't want fully transitive trust but only
to trust the people who know people you know. If you want that
kind of mail system that does not carry message between strangers,
you've already got it with any of the many kinds of whitelisting.
These problems with trust have nothing to do with the network protocols
involved. They are fundamentally non-technical. Talking about replacing
SMTP to implement transitive trust is at best a distraction.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com