Re: Why SPF and DK are not being used from James A. Donald on 2006-06-19 (public-usable-authentication@w3.org from June 2006)

From: James A. Donald <jamesd@echeque.com>
Date: Mon, 19 Jun 2006 11:06:04 +1000
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
CC: public-usable-authentication@w3.org
Message-ID: <4495F87C.20109@echeque.com>
     --
James A. Donald:
 > > Since [Spam Assassin] attaches no reputation to
 > > sites that prove origin of their email, it gives
 > > legitimate sites no reason to prove origin of their
 > > email - and it gives spammer sites every reason to
 > > prove origin of their email when they can

Hallam-Baker, Phillip wrote:
 > This is precisely the point of email authentication,
 > so that you can build better reputation schemes.

Exactly so.

 > Bayesian style assumptions are the reason that
 > confidence tricks work so well. Trying to apply them
 > against an adversary who is counterprogramming is a
 > bad idea.
 >
 > So since then authentication becomes all the rage. But
 > every time we get authentication only schemes and
 > discussion of reputation, discussion even of how to
 > integrate reputation mechanisms is excluded from the
 > scope.

Do you comprehend the reasoning behind this exclusion?
It is rather like excluding one blade of the scissors
from the scope of the other blade.  Were they perhaps
fearful of being diverted into a front for the CA's
unpopular business plans?

 > Eventually people are going to get with the program
 > and understand that the way to stop spam is
 > accountability achieved through Authentication,
 > Accreditation and Consequences.

Negative consequences are hard to impose across the net.
I think we have to rely on the positive consequence,
that if email is authenticated as coming from a reliable
source, its prospects of surviving the spam filter and
receiving attention are much improved.

I don't think we can realistically ask most people, or
even a very large number of people to become accredited.
Trust is not outsourced.  By and large I am in a better
position to know if X is what he purports to be than
Verisign is.  Verisign and like authorities serve a
useful and valuable role, but there is a great deal of
stuff that they cannot do and should not attempt to do.
Much of the time we are not really interested in
ascertaining true names.  The fact that someone has a
Verisign certificate does not mean their software does
not contain a Trojan horse.  A system that merely proves
that email coming from BankOfAmerica.com.vronsky.ru is
authentic is of rather limited value.  As I am fond of
pointing out, none of the many people offering me cheap
Rolex watches have claimed to be Rolex, and none of the
many people offering me a share of Charles Tailor's
stolen diamonds have claimed to be Charles Tailor.

There is a lot of hostility to Certificate Authorities
in general, and to Verisign in particular.  I think that
this may be a result of the repeated painful experience
of installing certificates on Apache. It just never gets
easier. People feel that they should not have to do this
in order to have encrypted sessions without confusing
warning messages.  SSH just works.  Why, they wonder,
does SSL not just work?  So whenever you say
"accreditation", the people you are talking to remember
the last time they installed a certificate on Apache and
get the feeling "You Verisign?  You Die!"

 > The ability to obtain an accreditation is essential if
 > the authentication mechanisms are going to be
 > effective. This is why we began circulating the
 > VeriFied Domains List which has over 100,000
 > authenticated domains listed on it.

Can I obtain a copy of this list?  I want to see if my
domains are present, and if various well known evil
domains are absent.

 > So the way we need to jump start the accreditation
 > market is by providing other incentives to email
 > senders to get accredited. I think that the idea of
 > Secure Letterhead over DKIM is probably the way to
 > create the necessary initial critical mass.

Accreditation is of limited value.  Accreditation is
both too restrictive  and insufficiently restrictive -
it is infamously painful to get and install the
certificate necessary for https, yet accreditation does
not and cannot supply the kind of information one sees
on the Ebay reputation page.

Accreditation can only operate in an environment where
it is one part of the solution.  If it attempts to be
the entire solution (evil Verisign monopoly), few will
accept that solution.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      3CZoQApZxPwSKgweYP5O/Whbj7GqE5VG05hXucDj
      42sHgh8RMRo4KtLCAnYTNTgn8bhtaNayWJxTDwaS9
Received on Monday, 19 June 2006 01:06:10 UTC