W3C home > Mailing lists > Public > public-usable-authentication@w3.org > June 2006

RE: Why SPF and DK are not being used

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Mon, 19 Jun 2006 08:21:37 -0700
Message-ID: <198A730C2044DE4A96749D13E167AD37B55DD2@MOU1WNEXMB04.vcorp.ad.vrsn.com>
To: "James A. Donald" <jamesd@echeque.com>
Cc: <public-usable-authentication@w3.org>

> From: James A. Donald [mailto:jamesd@echeque.com] 

>  > So since then authentication becomes all the rage. But  > 
> every time we get authentication only schemes and  > 
> discussion of reputation, discussion even of how to  > 
> integrate reputation mechanisms is excluded from the  > scope.
> Do you comprehend the reasoning behind this exclusion?
> It is rather like excluding one blade of the scissors from 
> the scope of the other blade.  Were they perhaps fearful of 
> being diverted into a front for the CA's unpopular business plans?

I don't think the issue was that, I think they just really, really like Bayesian...

>  > Eventually people are going to get with the program  > and 
> understand that the way to stop spam is  > accountability 
> achieved through Authentication,  > Accreditation and Consequences.
> Negative consequences are hard to impose across the net.

True, but this has never been the part that has worried me personally. There seem to be plenty of folk willing to do consequences, probably too many. I see our job as correctly identifying the (boopety-boo) culprit.

[Bonus point for anyone who knows the above reference]

> I think we have to rely on the positive consequence, that if 
> email is authenticated as coming from a reliable source, its 
> prospects of surviving the spam filter and receiving 
> attention are much improved.

I think that in the short term it would be best if people forgot about commercial spam. Yes I know people do it, I know that there are bad companies and there will always be the manager desperate to make their quarter and spam is really irritating, and people just do not understand that when they gave their business card at a trade show they were signing up for a lifetime of targetted email marketting.

Lets get the criminal spammers first, then work on consequences. I think that DKIM helps target the consequences much better, it is possible to identify the manager responsible for the spam run, it is possible to measure reputation in real time.

> I don't think we can realistically ask most people, or even a 
> very large number of people to become accredited.
> Trust is not outsourced.  

I disagree, banks are in the business of accepting outsourced trust.

> Much of the time we are not really interested in ascertaining 
> true names.  

That is a byproduct. The intention of the Class3 authentication process is to ensure a high degree of probability of identifying the perp who applied for a cert.

> There is a lot of hostility to Certificate Authorities in 
> general, and to Verisign in particular.  I think that this 
> may be a result of the repeated painful experience of 
> installing certificates on Apache. It just never gets easier. 

On the contrary, you should have seen what it *used* to take, at least the platform is supported now.
Received on Monday, 19 June 2006 15:21:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC