On 4/28/22 09:05, Vittorio Bertola wrote:
I see this as one of the many manifestations of possibly the biggest shortcoming in the original design of the Internet's architecture, i.e. not having an "identity layer" taking care of user authentication and information sharing in a uniform way below all application protocols. Of course, this need only became fully apparent much later than when the architecture was designed, so the architects are entirely excused; also, this is not just a technical problem, and the organizational architecture is not fully ready even now.
While I agree at least to the extent that using source IP address
as a proxy for identity is horrible, it seems to me that the
problem with an "identity layer" is that it almost presumes that
there's some signal notion of "identity" that should be shared
across all Internet users, protocols, environments, usage
situations, etc.
(And even if you somehow make the identity layer agnostic about
such variables, in practice it's likely that the "market" would
support only one or two kinds of identity and thereby make the
Internet even more hostile to diverse applications than it already
is.)
Still, if I had a standard way to sign my email and privately, securely disclose who I am to the recipient, we would not have had the need to build alternative identity systems such as DKIM, based on unacceptably vague proxies for the sender's identity (i.e. the domain of their email provider). Identity is a precondition for any reputation system - if you attribute reputation to the wrong identity you are going to blame someone for someone else's actions, which is exactly how antispam filters mostly work today.
Being able to privately, securely disclose who you are to the recipient wouldn't do a thing to help spam filters, since spam filters aren't the recipients of messages and a "secure" disclosure of who you are to the recipient wouldn't make that disclosure visible to anyone else.
And antispam filters don't even really work by assigning blame to the wrong party; that's giving them too much credit. They just believe that they can DoS someone's email for entirely arbitrary reasons that they typically don't even bother to disclose.
Keith