On Tue, 16 Mar 2004, Dr. Jeffrey Race wrote: > On Mon, 15 Mar 2004 18:12:22 -0800, Ed Gerck wrote: > >BTW, how can we talk about "actions that have consequences" in terms of a > >technical solution that the IETF can pursue? > > > The whole point is there are NO TECHNICAL SOLUTIONS and never will be. Correct, and I gave an explanation for this in inforamtion theory. > (There are some technical aspects to improving traceability, however.) The traceability is about as good as it will get. If you have an IP address and a time, that is all you need, and like a phone number, all you might hope to get. While an open proxy can hide the true IP of the abuser, you still get the IP of the open proxy. Likewise, if the dialup account is stolen, you may get the IP address assigned to users of the dialup gateway, which also isn't the culprit. Even cryptographic methods start by having ISP's issues certificates. The certificates, like other accounts might be thought of as disposable. Or they might be stolen. Authentication is not a solution to spam. As you might recall, after the east coast power outage, it was suspected that the outage might have been related to a virus. While it turned out not to be, it didn't take long for the virus author to be tracked down by law enforcement. There is nothing wrong with the current traceability. What anti-spammers want is to have access to private information. This will not happen without proper legal procedures. CAN-SPAM explicitly permits information to be obtained by subpoena, but basically, this was all obtainable before, as AOL and many others have demonstrated. > IETF would not apply the consequences; the victims would apply the > (behavioral) consequences using established guidelines, employing > technical measures already established in RFCs. > > IETF and other standards bodies can bless agreed procedures for using > the existing technical steps in new behavioral ways. > > There are two reasons this is crucial: > > 1) Courts often, perhaps usually, defer to declared norms of industry > standards bodies, in establishing reasonableness of disputed > behavior. We can be decisive in establishing these norms. The > courts can't easily act to use the COMPLETELY ADEQUATE EXISTING > LAWS in part because of this lacuna. Example? Given that you seem to think open relays are bad (from you proposal), and since the only time I've ever heard such a claim involved open relays, I'm guessing that's what you mean. Having litigated the issue--it was so frivolous that it didn't get to a filing but there were lawyers involved, I can report to you that the reasonableness of running open relays in particular has nothing to do with technical standards. The central issue is that there a genuine reasons to provide unauthenticated or post-authenticated relay services outside one's assigned IP address space, and secondly, the claims that open relays are somehow associated with spam or provide some benefit to spammers doesn't hold up to legal scrutiny. Open relays are not the same as anonymous relays. Open relay use doesn't in any way impede investigation of spam. Nor does open relay use impede spam blocking. There are two types of people who speak against open relays: The first type are misled. They have very little idea of what an open relay is or why they would be used. They've just been told that open relays are bad, and have come to believe this fervently themselves. It is an article of faith, and not of logic. The second type abuses them. Genuine spammers of the sort that would be subject to the CAN-SPAM act do not abuse open relays. Only radical anti-spammers search for, and abuse open relays. > 2) Normative documents, and personal leadership, convert a group or a > mob into an "emergent structure" (say a business firm, a dance > company, a charitable organization, a military unit, a religious > order, a teen gang) in which the norms absolutely bind the behavior > of the participants, even to death. > > I say, in a completely non-deprecating way, that these points from law > and sociology may not be apparent to engineers (or in fact to anyone else > who is not an attorney or a sociologist) but they are completely true > and completely binding on human behavior. > > > >The consequences are not > >technical. In addition, they would need to be arbitrated and we know how > >long, ineffective and expensive that can be. > > > No arbitration needed. Please re-read the proposal. > > My proposal (which received input from many people) is basically just > common sense. That's what we need now. The answers are in. The > proof is in. Let's do it. Now. Actually, common sense would be that anytime you interfere with someone's rights, there will be legal procedures involved. But this is another weakness in the cherished assumptions of the radical anti-spammers. They seem to think that they are the only people with rights.