On Tue, 10 Sep 2002 19:18:59 +0200, Iljitsch van Beijnum said: > Or we throw out SMTP and adopt a mail protocol that requires the sender to > provide some credentials that can't be faked. Then known spammers are easy > to blacklist.
It's nice to say "we make it easy to blacklist spammers". The problem is that those systems that *HAVE* made it easy to blacklist spammers are *ALWAYS* taking heat for making it easy - remember how ORBS was held in little high regard? And even the MAPS people have had their share of legal hassles. We don't even have to throw out SMTP - there's STARTTLS, AUTH, PGP, and so on. The problem is that we don't know how to do a PKI that will scale (note that the current SSL certificate scheme isn't sufficient, as it usually does a really poor job of handling CRLs - and the *lack* of ability to distribute a CRL (which is essentially a blacklist) is the crux of the problem. There's also the problem of distributing valid credentials to half a billion people - while still preventing spammers from getting any. The DMV hasn't learned how to keep *teenagers* from getting fake ID's, why should we expect to do any better in keeping a motivated criminal from getting a fake credential? It's not as easy as it looks. As Bruce Schneier talked about in "Secrets and Lies", where he does a hypothetical threat analysis regarding getting dinner in a restaurant without paying, most of the attacks actually have nothing to do with the part of the transaction where money changes hands... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
msg05297/pgp00000.pgp
Description: PGP signature