Re: I'd Sign Up in http://www.dslreports.com/forum/r7488508 en Wed, 20 Aug 2008 22:42:02 EDT Wed, 20 Aug 2008 22:42:02 EDT Re: I'd Sign Up http://www.dslreports.com/forum/remark,7490600 nixen :
said by Marilla See Profile:
And I think it's much more realistic to expect SMTP servers to get certificates than to expect every single user on the Internet to do so. Doesn't it sound cheaper if an ISP only needs one cert per e-mail server, costing a couple hundred a year, as opposed to hundreds of millions of USERS having to get a certficate every year, costing whatever they will cost.

Sounds cheaper, until you get to the point where you get charged for each and every email address you wish to use. Personally, I use a unique email address for every web site or internet service I sign up for. That way, if I ever receive SPAM at that address, I know who it was that sold my address. That way, I can cease doing business with said service and deadmail the tainted address.
said by Marilla See Profile:
Add to that the fact that the requirement to get a certificate to EVERYONE on the Internet would be a nightmare, in and of itself.

Err... but you're in agreement that everyone should have to authenticate? That everyone should be identifiable? Yet, you don't want to go the next logical step? Besides, personal certificates also mean that you can sign and encrypt your emails (thus upping the privacy of correspondence). It's also a bit more difficult to forge an authentication identity when personal certificates are used.

said by Marilla See Profile:
If such a plan caused a lot of 'small' e-mail servers to drop off the face of the planet.. including yours and mine... I'm perfectly happy.

Ah, one of the people who's perfectly happy to give up a little bit of personal freedom in exchange for a little bit of security, I see. Fan of the Patriot Act, too? At any rate, I won't bother to quote Ben Franklin. ;)
said by Marilla See Profile:
Hell, I got a server certificate for one of my websites that only has maybe 10 people using it...

Unless you're selling something off that website and are only doing it to provide an encrypted channel, you'd have been better served generating your own certificate.
said by Marilla See Profile:
After that, ISP's can more pro-actively observe traffic from their users... when users seem to be engaging in 'mass e-mailing',

Like running a listserv/majordomo, or even something as innocuous as telling everyone in their address book, "we just had a baby," or "I am getting shipped to the gulf," or "I'm moving," (etc.).
said by Marilla See Profile:
the ISP can look closer, and they'll HAVE A USERNAME it's connected to. IT would be up to the ISP themselves to be certain that it's not too easy to simply 'sniff' those usernames over the Internet... perhaps by being certain that SMTP logons don't go OVER the Internet itself, but stay on the ISP's local network.

So, having given up my ability to have function-oriented email addresses, I'm to also give up my ability to do SMTP transactions as myself, no matter where I am? I mean, what you're proposing means, if I am over at a friend's house who has a different ISP that has such a policy, I am not going to be able to send email (and no, craptacular Web/Mail gateways are not acceptable).
said by Marilla See Profile:
Given the costs that ISP's claim are associated with handling spam

And, as an ISP, they're already offloading that cost to the service users (cuz they sure as heck can't offload it to the SPAMmers). What do you think is going to be the real price difference for the end user if mail server choice is reduced?

Personally I think that everyone that cares about privacy, identity theft, etc., should be screaming for affordable and quickly/easily installed personal certificates. But, that's really a separate issue.

-tom
--
You can be only -so- accurate with a sledgehammer.]]> http://www.dslreports.com/forum/remark,7490600 Thu, 24 Jul 2003 18:02:49 EDT Re: I'd Sign Up http://www.dslreports.com/forum/remark,7489983 Marilla : I only mentioned POP3 servers because I don't believe any server, at all, that is involved in e-mail should accept any mail that is not 'approved', IF such a system were put in place... I do understand that POP3/IMAP really only deal with delivering the mail to the client.. but.. well, yes.. just remove 'POP3' from my list..

And I think it's much more realistic to expect SMTP servers to get certificates than to expect every single user on the Internet to do so. Doesn't it sound cheaper if an ISP only needs one cert per e-mail server, costing a couple hundred a year, as opposed to hundreds of millions of USERS having to get a certficate every year, costing whatever they will cost. Add to that the fact that the requirement to get a certificate to EVERYONE on the Internet would be a nightmare, in and of itself.

If such a plan caused a lot of 'small' e-mail servers to drop off the face of the planet.. including yours and mine... I'm perfectly happy. Hell, I got a server certificate for one of my websites that only has maybe 10 people using it... certainly, I would get it for my e-mail, OR I would let me ISP get it on their server and make sure they have me set to authenticate to it.

Actually, my home ISP already DOES require that I authenticate to their SMTP server. I'm sure they wouldn't be concerned about having to get a cert for the e-mail server, if it was being done globally, in order to prevent 'open relays' and other tools spammers can use.

After that, ISP's can more pro-actively observe traffic from their users... when users seem to be engaging in 'mass e-mailing', the ISP can look closer, and they'll HAVE A USERNAME it's connected to. IT would be up to the ISP themselves to be certain that it's not too easy to simply 'sniff' those usernames over the Internet... perhaps by being certain that SMTP logons don't go OVER the Internet itself, but stay on the ISP's local network.

Given the costs that ISP's claim are associated with handling spam, I think something like this COULD work... but it would really require a different setup than we have right now, I think... and it would take a while to get EVERYONE on it, so that it would be effective.]]> http://www.dslreports.com/forum/remark,7489983 Thu, 24 Jul 2003 16:58:02 EDT Re: I'd Sign Up http://www.dslreports.com/forum/remark,7489064 nixen :
said by Marilla See Profile:
Of course, it may be too late to really 'tear apart' e-mail and start all over... but one possibility... instead of USERS having to concern themselves with certificates, perhaps ISP's could begin to put in place a system where SMTP/POP3 servers authenticate each other, and SMTP servers become required to perform SOME sort of authentication of their own users, or else they get 'kicked out' of the system, in some way.


Problem isn't really POP/IMAP authentication. Problem is pretty much with SMTP.

SMTP client authentication is fairly trivial to set up. Unfortunately, just because my SMTP server has authenticated the client, it doesn't really give any other SMTP server a reason to trust anything coming from my SMTP server. For this, you need to set up trust relationships.

Trust relationships are also fairly trivial to set up (however, depending on the method used, said trust relationships have to trade of scalability and management ease for security). Unfortunately, many people (myself included) don't like to pay hundreds of dollars of year to secure a server with a commercial SSL certificate. It's fairly likely that even fewer are going to want to spend that kind of money on securing a mail server.

That's why I was suggesting per-user. That way, I could always write my rules such that, if the originating user had authenticated with a certificate from a trusted authority, I wouldn't have to worry about whether I trusted any of the intervening mail hosts. Of course, SMTP would need to pass more than simply "Verify=OK" in the headers - it would need to include the verification certificate fingerprint, or something.

-tom
--
You can be only -so- accurate with a sledgehammer.]]> http://www.dslreports.com/forum/remark,7489064 Thu, 24 Jul 2003 15:30:48 EDT Re: I'd Sign Up http://www.dslreports.com/forum/remark,7488620 Maxo :
said by Marilla See Profile:
Actualy, though, I don't think 'spam' can be tackled - AT ALL - without a substantive change in the whole e-mail system itself.

Agreed, as great as POP and SMTP have proven to be it's too easy to forge. On the other hand I think SPAM is as stopable as P2P. With P2P there's always a bigger nerd out there with too much spare time willing to right a better, harder to stop, program. With SPAM there's a big enough ass-hole with enough money willing to make a better, harder to stop, program.
--
God I love being a turtle. - Michaelangelo »www.maxolasersquad.com]]> http://www.dslreports.com/forum/remark,7488620 Thu, 24 Jul 2003 14:48:16 EDT Re: I'd Sign Up http://www.dslreports.com/forum/remark,7488612 Marilla : Yup.. that's why I said it really needs a basic change to the whole system. Our E-Mail protocols were designed for a 'wide open' communication system.. the people that did this weren't expecting things like Spam or e-mail-borne virii.

Of course, it may be too late to really 'tear apart' e-mail and start all over... but one possibility... instead of USERS having to concern themselves with certificates, perhaps ISP's could begin to put in place a system where SMTP/POP3 servers authenticate each other, and SMTP servers become required to perform SOME sort of authentication of their own users, or else they get 'kicked out' of the system, in some way.

This could stray into the same sort of 'black listing' system many people fall into now, but what I'm suggesting is an industry-standard method of determining what servers can or can not... bleh... the more I think about this, the bigger headache I get!

I'll just switch all my e-mail to a 'white list' system, with a 'challenge' mechanism for every possible recepient.

Ugh]]> http://www.dslreports.com/forum/remark,7488612 Thu, 24 Jul 2003 14:47:15 EDT Re: I'd Sign Up http://www.dslreports.com/forum/remark,7488508 nixen :
said by Marilla See Profile:
Actualy, though, I don't think 'spam' can be tackled - AT ALL - without a substantive change in the whole e-mail system itself.

If all email was required to originate from authenticated sources and the authentication was made to require the use of third party authentication tokens, then maybe that could work.

However, paying Verisign (or whoever) to generate me an e-mail key every year is a pain in the ass. Worse, installing such keys into all of your tools is not as simple as just clicking on a certificate installer application. You have to go to each application that you want to authenticate with and install the certificate. Just kinda blows.

-tom
--
You can be only -so- accurate with a sledgehammer.]]> http://www.dslreports.com/forum/remark,7488508 Thu, 24 Jul 2003 14:35:30 EDT Re: I'd Sign Up http://www.dslreports.com/forum/remark,7488448 Marilla : I commend your combination of open-mindedness, and yet practical common sense, in that approach.

Of course, in taking that approach, I think you do understand the basic reality; More than likely, the names on that list will get hit worse than ever imagined possible (I dunno... one day, and 200 mails in my 'Spam' folder on my Yahoo.com address is pretty ugly!)

Personally, I like an idea that was touched on here in this article; Make the ultimate advertiser responsible for ads they contract for. Of course, we need to be mindful of the possibility that competitors or even just pranksters will 'spam' on 'behalf' of a company, just to cause them trouble... but where we can clearly track a company to having bought advertising from another company with a knowledge that 'spamming' would have been part of it...

Actualy, though, I don't think 'spam' can be tackled - AT ALL - without a substantive change in the whole e-mail system itself.]]> http://www.dslreports.com/forum/remark,7488448 Thu, 24 Jul 2003 14:29:24 EDT I'd Sign Up http://www.dslreports.com/forum/remark,7488383 nixen : But, the address that I'd register would be the one that I use for my DCC processes. As such a registered address, it should never receive any emails, SPAM or legitimate. If the address never receives any email for at least a year, then I might consider registering my real address.

-tom
--
You can be only -so- accurate with a sledgehammer.]]> http://www.dslreports.com/forum/remark,7488383 Thu, 24 Jul 2003 14:23:39 EDT