From: "Mark C. Langston" <mark(_at_)bitshift(_dot_)org>
In the larger sense, this boils down to how much one trusts the
centralized authority granting accreditation.
That is the *real* issue with SSL - and the answer is simple - you can't !!
Nor can you trust domainname sellers, ISP's etc,etc. They are all in it for
money, and there will always be some unscrupulous ones who will stoop to
anything for profit.
Spammers are not doing spam for fun - it is a seriously big business, and
they are aware of all the measures in place and being discussed to curb
their business, and are probably on this mail-list*. Whatever we, or anyone
else does, spammers will always be able to find a work-around. The simplest
example is the increasing number of genuine domains sending properly
formatted and totally legitimate-looking spam. They simply set themselves
up with a domain purchasing scheme and write some fairly easy scripts to
generate a new domain - say one a week - properly configured and with all
the bells and whistles (including spf) and we will have no defence. Servers
are really cheap and plentiful today, so they can afford a uml-type virtual
server once a month or so as well.
We must do what we can, but that does not include spending e-mail users
money on things like SSL. Simple SPF is the way forward (for now) - once it
is totally implemented across the web, and I think that is the real goal of
the SPF project.
Slainte,
JohnP.
johnp(_at_)idimo(_dot_)com
ICQ 313355492
* Check through the archives and see which members of the mail-lists have
contributed little or nothing ;-)