(regarding http://uk.news.yahoo.com/031205/80/egebz.html)
On Mon, Dec 08, 2003 at 05:21:46AM -0800, Hallam-Baker, Phillip wrote:
|
| Transport level security is ok but less flexible.
|
| My preferred system would use spf for a master record, encode the domain
| public key in the dns and include links to certifiates for policy
| correspondence.
|
| The cost of a ca issued cert is policy enforcement.
|
To expand on the idea of policy enforcement:
Domainkeys and SPF both fall into the category of sender authentication.
Sender authentication schemes aren't enough to stop spam; you need a
reputation system also.
I have proposed a distributed+free+open reputation system to keep track
of message traffic vs spam complaints and spamtrap counts, and then
publish judgement-free numbers as a basis for per-domain policy.
Reputation systems per se are orthogonal to sender authentication.
What works for SPF could work for domainkeys also.
However, given domainkeys, commercial interests will probably want to
couple the reputation system to the encryption technology, just as we've
seen with https.
This opens the door to CAs vetting their customers. Maybe one CA will
issue a cert to anyone who asks; this is the same as trusting a
self-signed cert. Another CA will implement Bonded Sender. Another CA
might start out only vouching for well known domains, but over time
dilute that brand with well-paying spammer customers, in a process
analogous to the spamhaven ISP model.
If the pattern holds true, we'll eventually see blacklists of CAs, just
as SPEWS blacklists entire providers.
The problem with blacklists is that there are so many, and each ISP has
to decide which ones to use. That decision has to be revisited every
few months. If there are as many CAs as there are blacklists, we'll see
the same thing happen all over again. Wouldn't it be better to turn
that qualitative decision-making into a quantitative process? That
factors out the time spent on choosing blacklists; instead, SMTP
receivers just have to decide on a threshhold for some "AmIspamOrNot"
metric.
CAs will be very wary of revoking a spammer's cert for fear of
litigation. Litigation leads to a chilling effect or conflict of
interest in any industry where the customer pays an "independent third
party" to vouch for them. In journalism, a wall theoretically separates
the editorial and the advertising departments. CAs will need to build
that same wall, because vouching for potential spammers is much more
fraught than vouching for webservers.
The reputation system I proposed is based on scores which can be
compiled from openly available statistics. It leaves the accept/reject
decision to the discretion of individual domains. Therefore it is an
alternative to CA policy enforcement which does not suffer from the
chilling effect.
Judging the people who pay you money is not a tidy business model. It
may be better for a business to focus on providing reputation services
rather than coupling reputation to certificates.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡