On Tue, 2 Mar 2004, Vernon Schryver wrote: > I'm not arguing for IP addresses as security tokens. I'm only pointing > out that issuing new identity cards to the usual suspects won't change > anything. No IETF protocol can synthesize trust for organizations > that are not trustworthy. Service providers that host spammers and > expect spam targets to deal with abuse will never be trustworthy. Most > of the TBytes/day of spam comes from such providers, whether cable > modem outfits that turn blind eyes on "owned" boxes, free providers > whose penalty for abuse consists of making the spammer sign up for a > new drop box, or tier 1 providers that lie about the impossibility of > determining which of their resellers is hosting a spammer. Hear, hear. <clap> <clap> <clap> (the crowd goes wild). Or at least it should. Vernon speaks the truth, and he's pointing out a fundamental flaw in the entire "consent" approach. We cannot now, nor will we be able to in the foreseeable future, be able to extend meaningful trust to INDIVIDUALS on the Internet, not when it is a large, dynamic entity that is intrinsically anonymous at the human level (and often NEARLY anonymous at the network protocol level where it isn't supposed to be!) To mutilate a metaphor, it is like extending trust on the basis of ethernet number on a non-flat network, never mind that you don't SEE the ethernet number of the originator -- but you can trust the number of the upstream router, can't you? -- never mind that an ethernet number can be altered, never mind that ethernet devices are cheap in any event. What it is, you see, is getting even BIG organizations such as yahoo that make money (as they see it) by providing loose unstructured services prone to abuse and lose/spend money (no question) providing the infrastructure and humans and tools required to properly police those services. They have real money at stake, investors to please, and a need to keep their bar very low as they live or die by how many "customers" they have for their "free" services. Even requiring a credit card or proof of some sort that you (as a potential client) actually exist at all eliminates all the children in the world as well as many (sensibly) paranoid adults who don't WANT to certify access to a free service with a credit card or some other verifiable token like an address and possibly expose themselves to still more unwanted contact, identity theft, etc. In fact, yahoo is in a lot of ways an archetype, a key problem that any solution has to be able to manage. Will a proposed solution control spam originating on yahoo and its even less reputable brethren? If won't, why bother? "Consent" or "transitive trust" (or whatever it is that you want to call whitelisting a class of traffic while blacklisting another with NO GREY in between, since consent is a binary concept) of INDIVIDUALS is a complete non-solution in the case of yahoo (not to mention all its darkside kin). Is it in any sense at all POSSIBLE to fractionate "consent" to email traffic from WITHIN yahoo.com? I don't think so, and I don't see how it could be, given the ease with which anonymous yahoo accounts can be created, used to spew spam, and destroyed. Blacklisting yahoo.com across the entire Internet (even for a day), now, that's a solution that would probably work to get them to clean up their act, if "everybody" did it. It would likely also serve as a salubrious lesson to all the rest of the wicked blind-eye SPs. A shunning, a shunning...;-) rgb -- Robert G. Brown http://www.phy.duke.edu/~rgb/ Duke University Dept. of Physics, Box 90305 Durham, N.C. 27708-0305 Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb@xxxxxxxxxxxx