Mark C. Langston wrote:
Specifically, how is the ability to purchase an SSL certificate
conferring a "good" status to a domain?
It's not a question of "good"ness. It's a question of commitment.
A vanilla domain costs less than $10 a year. SSL certificates from
Verisign cost around $300 a year.
If a domain is identified as a spam source, spammers will ditch it
for new ones. This is more painful for them if they've invested
$300 in the domain than if they've only invested $10.
I don't see how purchasing an ssl certificate has anything to do with
reputation. Reputation is based on observed behavior over time for a
given entity. That entity can be determined, observed, and routed
around (if necessary) without an SSL certificate.
Am I the only one who has a problem with this whole certificate scheme? (and
I mean 'scheme' in the broadest sense of the term).
SPF was predicated on the premise that domain owners, themselves, safeguards
their reputation. At the absolute minimal cost of publishing SPF records.
Then someone came along, and said: "Let us do domainkeys; or something
similar." And all of a sudden we are talking about a centralized database of
"good guys". And to be on that list, of course, you have to pay $300 a year
to this central authority (or, indirectly, to his soon-to-be-billionaire
accomplice, who provides the certificates to communicate with them).
In fact, such a global whitelist is really just a blacklist in disguise.
Because the reality will not be that you are whitelisted at places for being
on that list, but blacklisted for not being on there; subsidiary, penalized
for not being on board (getting a "spammy" score in spamassassin, for
instance, for having an unsigned header). Frankly, the whole thing smacks of
extortion.
Not to mention the huge problem of solving disputes. On whose door will you
knock? Verisign's? And who died and made them king? Now they are suddenly
the leading moral authority on determining who is a spammer? What ever
happened to the initial idea of having domain owners be responsible for
their own domains? (and by that I mean, being responsible, not to the tune
of having to pay $300 a year to Verisign per domain, but being so by
publishing SPF records).
Sigh.
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx