I agree with much of what meng says, running a ca is not a trivial task if
done properly.
I don't have time to give a full account of my busines here. Suffice to say
that anyone can create certificates for free there is even a program in
windows that does this
The expensive part is providing an assurance that the cert is accurate. Yes
there is a littigation risk and that is why I regularly speak at legal
conferences on ca littigation issues.
This is a combinatorics problem, 50 million domain names, 10 global cas if
that. Clearly there is a reputation issue. I don't want a verisign cert with
extensive validation to be worth no more than a bucket shop ca cert where
the end entity is not validated beyond checkin payment clears.
The real issue is whether the accreditaion system is open. If people can
list the accreditations they have accumulated feedback filters will quickly
converge on giving them the correct weight.
-----Original Message-----
From: Meng Weng Wong
Sent: Mon Dec 08 10:36:29 2003
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Cc: mail(_at_)vipul(_dot_)net
Subject: [spf-discuss] on CAs as reputation providers; an argument
for metric-based reputation services
(regarding http://uk.news.yahoo.com/031205/80/egebz.html)
On Mon, Dec 08, 2003 at 05:21:46AM -0800, Hallam-Baker, Phillip wrote:
|
| Transport level security is ok but less flexible.
|
| My preferred system would use spf for a master record, encode the domain
| public key in the dns and include links to certifiates for policy
| correspondence.
|
| The cost of a ca issued cert is policy enforcement.
|
To expand on the idea of policy enforcement:
Domainkeys and SPF both fall into the category of sender authentication.
Sender authentication schemes aren't enough to stop spam; you need a
reputation system also.
I have proposed a distributed+free+open reputation system to keep track
of message traffic vs spam complaints and spamtrap counts, and then
publish judgement-free numbers as a basis for per-domain policy.
Reputation systems per se are orthogonal to sender authentication.
What works for SPF could work for domainkeys also.
However, given domainkeys, commercial interests will probably want to
couple the reputation system to the encryption technology, just as we've
seen with https.
This opens the door to CAs vetting their customers. Maybe one CA will
issue a cert to anyone who asks; this is the same as trusting a
self-signed cert. Another CA will implement Bonded Sender. Another CA
might start out only vouching for well known domains, but over time
dilute that brand with well-paying spammer customers, in a process
analogous to the spamhaven ISP model.
If the pattern holds true, we'll eventually see blacklists of CAs, just
as SPEWS blacklists entire providers.
The problem with blacklists is that there are so many, and each ISP has
to decide which ones to use. That decision has to be revisited every
few months. If there are as many CAs as there are blacklists, we'll see
the same thing happen all over again. Wouldn't it be better to turn
that qualitative decision-making into a quantitative process? That
factors out the time spent on choosing blacklists; instead, SMTP
receivers just have to decide on a threshhold for some "AmIspamOrNot"
metric.
CAs will be very wary of revoking a spammer's cert for fear of
litigation. Litigation leads to a chilling effect or conflict of
interest in any industry where the customer pays an "independent third
party" to vouch for them. In journalism, a wall theoretically separates
the editorial and the advertising departments. CAs will need to build
that same wall, because vouching for potential spammers is much more
fraught than vouching for webservers.
The reputation system I proposed is based on scores which can be
compiled from openly available statistics. It leaves the accept/reject
decision to the discretion of individual domains. Therefore it is an
alternative to CA policy enforcement which does not suffer from the
chilling effect.
Judging the people who pay you money is not a tidy business model. It
may be better for a business to focus on providing reputation services
rather than coupling reputation to certificates.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡