On Wed, Mar 08, 2006 at 01:55:16PM -0700, Peter Saint-Andre wrote: > I never made the strong claim that the federated Jabber network is or > always will remain spam free, only the weaker claim that its abuse and > identity problems are and will remain less serious than those of the > federated email network as it exists today.
Time will tell. All I expect from the ultimate (~3 years out) rollout of email authentication is less backscatter, not less phishing or spam. > I do not dispute that if Jabber becomes popular enough, there > will be rogue servers that don't enforce local authentication (although > with server dialback and TLS they can't fake from addresses at other > domains, see RFC 3920), and that those who deploy Jabber services will > need to blacklist those domains. Of course new domains are less than $4 each in bulk... How will you lock out throw-away domains? The black-list problem for email is not solved. The good lists are nowhere near 100% effective. Is the equivalent of port 25 blocking tractable for Jabber? Is there a difference between the user-to-server port/protocol and the server-to-server port/protocol in Jabber? > I do not dispute that there will be > spam bots and that server admins or end users will need to block > communication with those bots (e.g., using the privacy list protocol > defined in RFC 3921). I do not dispute that there will be phishing > attacks (e.g., using internationalized addresses that look like but are > not identical to familiar addresses) and that client software will need > to take appropriate measures to differentiate between legitimate and > mimicked addresses (e.g., using petname systems as described in > JEP-0165). Yes petname systems are an important UI tool for preserving the integrity of existing peer communications. If IM is to "replace" email as some want to claim, it needs to support messages from a fair share of total strangers (we have never met). > All I'm saying is that we have a lot of the infrastructure in > place (and are building more) to make abuse harder and identity stronger > than it is on the existing email network. Is Jabber perfect? No. We're > just trying to make it good enough that the bad guys will go elsewhere > (which, so far, they have). My claim is that, while indeed it is easier to set the initial barriers higher when you design with greater hindsight, and some of the tractable, but not widely deployed email security measures will be there in IM systems from the start, never the less IM systems if they are to encroach on the ubiquity of email for ad-hoc communications between strangers (it is far easier to address strangers via email today) will encounter exactly the same intrinsic issues, and that technical measures will have equally partial efficacy. I am willing to speculate that the more likely scenario is that IM will not become the ubiquitous medium that email is, and will escape the problem by avoiding scope creep. I am willing to speculate that people will continue to unfairly tarnish the competence of the email RFC writers, without regard to the intrinsic properties of the medium. -- /"\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAIL Morgan Stanley confidentiality or privilege, and use is prohibited. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]