on 5/30/2003 12:05 PM Vernon Schryver wrote: > None of the even slightly plausible anti-forgery proposals have even > the slightest believable effects toward enforcing the use of known > identities. They don't have to be "known" identies to provide accountability measures, they only have to be verifiable. The proposals that even I think are too complex are the ones that require the use of "known" identities (exchanging tickets, bilateral postage agreements, etc). Simply limiting the information to a "verifiable" scope can provide sufficient levels of accountability. For exmaple, allowing self-signed certificates but restricting their acceptance to the same mail domain would provide some baseline measure of verification (DNS lookups), and would provide some level of accountability (through the DNS domain delegation information), and would provide additional strenght to the available enforcement options. None of that requires "known" identities (btw, I'm not ready to propose that usage model, just laying it out as an example of how "known" identities aren't necessary to achieve a goal of accountability through verified paths). > No anti-forgery proposal has included anything that would > inconvenience a spammer that wants 10,000 "known identities." No price > on certificates or any other mechanism can be low enough to be > tolerable by users but high enough to determine that the next new > account an ISP sees is not a known spammer with a new name, adresses, > and valid credit card number. First of all, I think this is really an argument for legal options. I've already stated that I don't think the spam problem in particular can be "fixed" in the absence of legal enforcement options. Secondarily, if we wanted to be productive (forward-moving) on this particular subject, we should be discussing the mechanisms that would be needed and/or useful towards making the necessary retrieval, comparison and enforcement functions useful, and which would in turn make any of the available enforcement options useful. I don't find the current absence of credible services (WHOIS is currently useless) to be a compelling argument against their eventual presence (WHOISng may be more useful), nor as compelling arguments against their subsequent integration with other services (integration between a WHOISng and an SMTPng for locating all of the domains associated with a known offender, as one possibility). We already know we're going to need some kind of identification mechanism, so what else would we need as part of that? >> The first step in that means weakening the ability to use forgery >> techniques as a shield, but that's just a start. It should also help >> against some of the prevarication you describe above, since there >> would be less room for waffling if recipients were able to "prove" by >> verifiable transfer-path analysis that a particular node had >> absolutely sent some piece of spam. ... > > That should sound like the mistake it is in a more or less technical > setting like this. There has never been any lack of a "verifiable > transfer-path analysis that a particular node had absolutely sent some > piece of spam" unless you believe that spammers use initial sequence > number prediction to forge IP addresses. You always know the IP > address of the SMTP client, even if it is a relay or proxy. ISPs could > and should hold operators of open relays and proxies accountable for > sending the spam their systems send. Conceding that "ISPs could and should hold operators...accountable" doesn't dismiss the claims, and neither does the rest of your text. Preventing the use of proxies through verifiable end-system identifiers is one of "the first steps" I referred to. The problem would mostly move into the relay and direct-sender space, but those uses could be dealt with much more aggressively given the "proof" that would be available afterwards; the range of enforcement options are all strengthened by better proof. The original claims stand, despite your concession and fist-waving. >> Secondarily, there is another class of user where forgeries are >> problematic in their own right, which is outright impersonation >> and/or fraud, and in that context the anti-forgery capabilities would >> stand as a unique benefit. However, the enforcement options which >> were made available to those users as a result of the accountability >> features would be no less compelling to those users if forgery were >> attempted and caught. > > Please point out a single such case where header forgery was not > obvious and that needed or could have used any extra machinery. In 1993, Adelyn Lee won a $100,000 wrongful-termination settlement against Oracle, partially using forged email between her superiors as evidence. Four years later the forgery was exposed, but the evidence that did her in was testimony, log files, and cell-phone records, not the email message. It seems obvious to me that a mail system which offered the kinds of accountability features we're talking about and which cost less than the settlement costs, corporate personnel and legal fees would have been well worth the expense to them. http://www.wired.com/news/technology/0,1282,9641,00.html describes three different instances of fraudulent misrepresentation of Yahoo, any of which would have been ameliorated with half-decent identity information which clearly indicated the user was a customer and not an employee of Yahoo. I've no idea what the dollar cost to Yahoo was, but the legal time alone couldn't have been cheap, not to mention the economic impact from loss of credibility. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/