On 22 Nov 2006, at 21:34, Hallam-Baker, Phillip wrote:
Under my scheme I am very determined that we do NOT build the toll
booths before the highway, or for that matter afterwards.
Is that because you've realised that toll booths will be ignored, or
you just want to keep it quiet for now? :-)
If somebody deploys a system requiring "electronic postal stamps" of
one form or another, all they do is create a whole new market for
free-for-all SMTP and a mess that looks a bit like the IM space at
the moment.
If you don't have a reputation it does not make a good deal of
sense to pay for an expensive certificate to allow you to
authenticate your claim to that reputation.
Yes it does.
If I can get a certificate for $20, and it's good for a few hours
until it gets revoked whilst I send out 300 million e-mails, and
because I have a certificate 1% of them get into an inbox and 0.1% of
*those* convert into sales of $50 each, I'm up $15 million. What's
more, if everybody needs a certificate to send e-mail, they'll just
move to another system that doesn't. The problem is not people
pretending to be me as well, so why would I buy such a certificate?
This is not an economic battle. People think it is, because they see
the motive behind spam as profit, and if you make spam expensive
enough the battle will be won, but it will always be possible for
them to make it cheap enough somehow.
The fight against spam will be won when we take the collective
intelligence that we have about architecture, protocols, technology,
human factors, how and why bayesian works and where it fails, how and
why spamhaus et al work and where they fail, etc. and put all of that
into finding a way forward to tweaking SPF, DKIM, and other hacks
around DNS and ALSO formalise efforts to track and kill spambots.
It won't be won whilst we try and price people out of the game. It
won't be won if we try replacing SMTP. It won't be won if we try and
just make DNS do something it wasn't meant to do - e.g. act as an ad-
hoc PKI.
Finding the IP of a server from a name scaled out of the capability /
etc/hosts gave us a long time ago. In a similar way, trying to fix
spam through DNS is going to break sooner than we think. We need to
be open to creating new services, tweaks and enhancements. We need a
new SMTP RFC that has MUST written all over it, and those hosts who
don't pull themselves up to speed don't get their e-mail read by the
bigger mail providers, in the same way that most sites don't accept
UUCP any more. We shouldn't be scared of any of that, ever.
However, things that will never, ever work include:
- Trying to make it 'expensive' to send e-mail. There will always be
a way to make it 'cheap enough'.
- Removing the casual nature of the protocol so that everybody gets
tracked down whenever a spook feels like it
- Replacing SMTP. SMTP works because it fits so many needs. Ask
everybody to come up with a new protocol that fits their interests,
and the end result will look remarkably like SMTP. I am reminded of
the quote that starts "Those who do not understand Unix..." - SMTP is
the Unix of the Internet. ;-)
- Stretching DNS indefinitely to do things its not meant to do
- Backing down from rolling out a service because Yahoo/Hotmail/
Google say they don't like it. Fine, they can provide a rubbish
service, that's their choice.
We can fix this without going around in circles as before.
Accountability is one piece that might do a lot. It won't fix
everything though. It's just too easy to break, and too easy to ignore.
--
Paul Robinson
http://vagueware.com
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf