----- Original Message -----
From: <Matthew(_dot_)van(_dot_)Eerde(_at_)hbinc(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, August 13, 2004 12:28 PM
Subject: RE: [spf-discuss] Good Domain List one step closer to reality
(actually two steps)
Mark C. Langston wrote:
On Fri, Aug 13, 2004 at 03:14:13AM -0400, Meng Weng Wong wrote:
Cloudmark has introduced a rating service.
Verisign is publishing its list of domains with SSL
certificates.
Specifically, how is the ability to purchase an SSL certificate
conferring a "good" status to a domain?
It's not a question of "good"ness. It's a question of commitment.
A vanilla domain costs less than $10 a year. SSL certificates from
Verisign cost around $300 a year.
If a domain is identified as a spam source, spammers will ditch it for new
ones. This is more painful for them if they've invested $300 in the domain
than if they've only invested $10.
This doesn't mean much in the day-to-day world of most users. Most folks
have no knowledge of or concern for the verification of the signatures on
the SSL certificate: they just want to be certain that their transaction is
not occurring in the clear, and would accept an SSL certificate from Uncle
Enzo's SSL Signing Company. All an SSL certificate verifies is that you have
a key. Getting it signed only verifies that you spent the money or effort to
get it signed. In and of itself, it means nothing, and eases the burden of
the user to re-accept the key every time they connect to a system using that
key.
Now, if more users could be bothered to verify the signing authority on
their accepted keys, it would be more useful. But almost no one can be
bothered to do this, which is one reason why the centralized authority model
for SSL keys is such a miserable failure.