On Fri, Aug 13, 2004 at 10:33:46AM -0700, Jonathan Gardner wrote:
On Friday 13 August 2004 10:11 am, Mark C. Langston wrote:
I don't see how purchasing an ssl certificate has anything to do with
reputation. Reputation is based on observed behavior over time for a
given entity. That entity can be determined, observed, and routed
around (if necessary) without an SSL certificate.
The only benefit of buying an SSL certificate is money in Verisign's
pocket. This isn't a "Verisign is evil" rant. This is a "trying to
make a profit off reputation and/or trying to confer a good reputation
by spending money is an extremely poor idea" rant.
If you think spammers can't afford $300, you're mistaken.
SSL certificates have nothing to do with reputation. It has everything to do
with accreditation, however. Accreditation and reputation are the two next
steps.
When someone buys an SSL certificate from Verisign, they are providing more
information than what went in to the DNS purchase, plus they have basically
put a non-refundable bond up for $300 that they won't abuse their domain.
If they do go ahead and start spamming, then they are throwing the $300
away because the accreditation they bought will be overwhelmed by their
negative reputation. If we rely on valid SSL certificates as part of our
accreditation system, it will help raise the cost of spamming.
But my points (three of them) are these:
1) Accreditation is only useful if it's coupled with an enforcement
mechanism (i.e., a means to use the information provided to punish
poor behavior beyond the initial measure of individual sites ignoring
traffic from them).
2) Tying the depth of one's pockets to whether a domain is "good" or
not only punishes those whose pockets are shallow (typically, small
businesses, individual domain owners, etc.), and is no barrier
whatsoever to those with deep pockets (e.g., spammers). Yes, it raises
the cost of doing business. However, it's a token cost, and easily
absorbed. Raising the cost further is not a good solution, either, as
it's still only punishing those with shallow pockets.
3) Tying behavior to profit creates a disincentive to police those
exhibiting poor behavior by those providing the accreditation. So
someone with deep pockets spams their way to a useless certificate.
Will the accrediting authority refuse to sell them another? I doubt it.
My ultimate point is this: Without adequate enforcement mechanisms that
provide for actual real-world punishment (and though laws exist, they're
rarely enforced, even more rarely enforced successfully), accreditation
is not really needed. Identities can be established, and behavior
tracked, with the information supplied in the SMTP session. This is
adequate to determine a pattern of behavior and act accordingly.
Accreditation provides nothing extra if there are no functional
enforcement mechanisms. Even worse, accreditation may provide a false
sense of security, tempting some to downplay reputation information in
favor of the fact that someone coughed up a sum of money.
I can easily envision a future in which a company (let's say Verisign)
comes to an agreement with major MXes that puts money in both
organizations' pockets if the MXes are willing to pass through
Verisign's accredited mail sources without further checks on the input.
Sure, it's a "what if" scenario, but it's not that far-fetched, and it
illustrates the dangers of associating a value judgment with a party's
ability to purchase accreditation.
In the larger sense, this boils down to how much one trusts the
centralized authority granting accreditation. Certainly, we have a
similar system in place for e-commerce. However, there are strictly
enforced laws and harsh real-world penalties for things like credit card
fraud. It's also the case that very few people use the presence of a
certificate as the sole determiner of whether they will do business with
an e-commerce site. Often, people make theat determination on a variety
of factors, one of the most important being past behavior as observed by
multiple agents over time. In such circumstances, this reputation is
the determiner of further action, not the accreditation. Should
something go wrong with the transaction, the accreditation may or may
not provide useful information to the wronged party. Even then, the
information is only useful in the pursuit of enforcement. Once again,
such enforcement exists for e-commerce transactions. No such
enforcement exists for spam.
(And, putting my money where my mouth is, so to speak, the GOSSiP
Project referenced in my signature is an open-source attempt to
establish a distributed, peer-to-peer reputation system for e-mail
that should function just fine without accreditation.)
--
Mark C. Langston GOSSiP Project Sr. Unix SysAdmin
mark(_at_)bitshift(_dot_)org http://sufficiently-advanced.net
mark(_at_)seti(_dot_)org
Systems & Network Admin Distributed SETI Institute
http://bitshift.org E-mail Reputation http://www.seti.org