spf-discuss
[Top] [All Lists]

overall paradigm shift in email, plus rambling philosophical discussion

2004-06-20 10:15:55
In a small town, everybody knows everybody, people greet
people on the street, and people leave their doors unlocked.
The dominant philosophy is "assumed innocent until proven
guilty."

In a big city, everyone's a stranger.  The dominant
philosophy is "assumed guilty until proven innocent".

The move toward authentication/accreditation/reputation
systems was devised at Aspen in Dec 2003.  It represents a
change from small town to big city.

The Internet used to be a small town.  By default, incoming
mail was assumed innocent.  The content filtering
model supports this philosophy, by trying to weed out
guilty mail in a stream of assumed-innocent messages.

Now the Internet is a big city.  But email protocols
continue to pretend it's a small town, for historical and
ideological reasons.  (See toad.com.)  Spam can be seen as a
symptom of abuse resulting from an outdated social model.

Closing open relays was the first step in moving to the
"assumed guilty until proven innocent" model.

Adoption of the Aspen framework is the next big step.

In an "assumed guilty until proven innocent" world of email,
senders should expect their mail to be rejected by default,
unless it is authenticated, and unless the receiver's
reputation system gives the sender a good rating.  If the
sender has taken pains to obtain accreditation with a
reputable accreditation provider, that rating improves.

If spam is solved, we may one day be able to move back to
the "assumed innocent until proven guilty" model.

Until that day, I will present an observation.  (please
don't turn this thread into a debate about gun control.  I
am making a point and I expect the intelligent reader to
appreciate the point, even if we disagree in the details,
and to please refrain from picking nits.)

I was watching a "Cops" style show, where they show video of
arrests.  They showed two car chases.

The first car chase was in the US.  After the suspect came
to a stop, a swarm of officers surrounded the vehicle with
guns drawn.  There was a lot of yelling and the situation
was very tense --- naturally, because the officers had to
assume the suspect was armed and dangerous.  "Come out with
your hands up" and that sort of thing.

The second car chase was in the UK.  After the suspect came
to a stop, an officer just walked up to the car, opened the
door, and yanked the driver out by his lapels.  There was
much less tension.  Why?  Because in the UK you can assume
the bad guys don't have guns.

So the freedom for civilians to own guns inversely
correlates with the freedom to get arrested without maybe
getting shot.  "Amadou Diallo" may ring a bell with some
people.

On the Internet, if the tradeoff is between:

  - the freedom to send mail without authentication, but
    without the confidence that it will be received,

and

  - the requirement to send mail with authentication, with
    the confidence that it will be received,

then I know I'll pick the latter on grounds of pragmatism
alone.

I know, I know, Franklin said: "They that can give up
essential liberty to obtain a little temporary safety
deserve neither liberty nor safety."

But by that argument, one could say that locks on front
doors are a bad idea, because they restrict my freedom to go
in and out of my house without carrying a set of keys, and
they definitely restrict the freedom of my friends to drop
by when I'm not home to borrow a movie off my shelf.

Two important words in Franklin's quote are "essential" and
"temporary".  Is the freedom to send mail without
authentication "essential"?  Are the gains in reducing spam
"temporary"?

One might argue that the essential freedom of air travel is
the ability to buy a plane ticket and go places without
having to first apply for a travel clearance, as you would
in a country like North Korea.  The freedom to travel
without showing ID is the icing on the cake, but a cake
without icing is still, essentially, a cake.

The essential freedom in email is the ability to write a
letter without having to apply for permission in advance,
and without it being read along the way.  Having to be
authenticated is not essential.  If adding security in the
form of authentication does help stop spam for good, then
the gains are not "temporary".

In conclusion: Franklin would approve of what we're doing.