Victor Duchovni wrote: > On Wed, Mar 08, 2006 at 12:53:16PM -0700, Peter Saint-Andre wrote: > >>> These are closed systems that compete with each other, once >>> they become federated, they can no longer compete on end-to-end >>> security, because that is a property of the interoperability >>> framework, not the individual product. Also with millions >>> of account issuers, the abuse and identity problems become >>> just as bad as for email. The problem is intrinsic, is not >>> the result of lazy RFC writers. >> Well, in the Jabber/XMPP world we require authentication, servers must >> stamp the from addresses, and we use (at a minimum) reverse DNS lookups >> to verify server identities (or use certs with TLS + SASL-EXTERNAL if >> you want true server-to-server authentication). So I'd say the abuse and >> identity problems are not as bad in IM (at least the IM technology I'm >> familiar with) as in email. But you'd hope that we've learned a thing or >> two since email was invented. ;-) > > What is the value of such "authentication"? Which organizations will you > trust? For example, most mail that passes SPF is spam... Authentication > by the issuing organization is only useful, if you can keep bad issuers > of the net... If federated Jabber becomes universal, the bad guys cannot > be excised from the network. The botnets cannot be excised from the network, > ... > > The problem is technology neutral. Loosely along the lines of Goedel's > incompleteness theorem, any universally deployed federated communications > medium will exhibit spam.
I never made the strong claim that the federated Jabber network is or always will remain spam free, only the weaker claim that its abuse and identity problems are and will remain less serious than those of the federated email network as it exists today. There is no magic bullet, and a spam-free utopia is not an option if federated communications are desired. I do not dispute that if Jabber becomes popular enough, there will be rogue servers that don't enforce local authentication (although with server dialback and TLS they can't fake from addresses at other domains, see RFC 3920), and that those who deploy Jabber services will need to blacklist those domains. I do not dispute that there will be spam bots and that server admins or end users will need to block communication with those bots (e.g., using the privacy list protocol defined in RFC 3921). I do not dispute that there will be phishing attacks (e.g., using internationalized addresses that look like but are not identical to familiar addresses) and that client software will need to take appropriate measures to differentiate between legitimate and mimicked addresses (e.g., using petname systems as described in JEP-0165). All I'm saying is that we have a lot of the infrastructure in place (and are building more) to make abuse harder and identity stronger than it is on the existing email network. Is Jabber perfect? No. We're just trying to make it good enough that the bad guys will go elsewhere (which, so far, they have). Peter -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml
Description: S/MIME Cryptographic Signature