On Fri, 6 Jun 2003, Hallam-Baker, Phillip wrote: > > Security is risk control, not risk elimination. Absolutely! Extending that thought, managing risk is about the cost of loss vs. the cost of protection. Humans make mistakes. Systems fail. Sammy Sousa used the wrong bat. The suttles failed. To reject a service because you have one presumed example of failure is not realistic. A pattern of failures would be an issue, just like you might avoid purchase of an automobile if Consumer Reports failure statistics are abnormally high. For the objectives we are discussing, I think the failure rate at Verisign is not an issue. Most (perhaps all) folks in this discussion seem to agree that the issue with spam is in the volume and not the mere existance of spam. Social scientists could probably study the parallel growth of spam and the corresponding growth in frustration and even end up with a volume of spam which most people would be comfortable with. I strongly suspect that reducing and keeping spam at 10% of current levels would probably be success. Certainly, 1% would be. On that premis, I'm certain it doesn't matter if 1 of the current 200 heavy duty spammers gets a fraudulant certificate. That might make final identification more difficult, but most of the other mechanisms will still function. 1. Proof of common source of the quantity of emails needed to be ruled as illegal 2. Source based filtering can still block mail identified with the cert 3. Once the fraud is discovered, the CA is likely to have process in place to avoid issuing new certs to the same entity The last time I investigated, Verisign had certificates of different types with different prices and levels of identification verification. Even the cheapest have some cost and since I doubt that Verisign accepts cash payment, there is identity associated with the payment. Worst case is a stolen credit card is used to make payment. Since that is an immediate felony, it may actually be the best case from anti-spam perspective. Because of this cost (and the difficulty of obtaining and risk of using a large number of stolen credit cards), it seems less likely that spammers will follow the scenario of obtaining a large number of throw away certificates. Conclusion, I don't see the less than 100% trustworthiness of any CA to be an impediment to the use of certificates as part of an email origin identification scheme. Only a fool would accept a self-signed certificate as having any significance so I think the suggestion that the ability of a spammer to generate their own storm of certificates has little merit. Dave Morris