Daniel Perry wrote:
> I think signed email could provide a way forward. But i think paid-for
> certificates are the wrong way to go, just as i think they were the wrong
> way to go with http
No one said anything about paid certs. Both Thawte and CAcert provide free
certificates for e-mail.
FYI, Thawte certified a whole bunch of new notaries at ApacheCon EU, and I
would add their WoT (and others as desired) to our key signing parties at
ApacheCon, so we can make a lot more notaries.
> it annoys me that i have to pay someone to sign a certificate
> so that people dont get warnings in their browser - who cares
> who signed the certificate, if the session is encrypted, it's
> encrypted.
> Anyone can get a signed certificate with fake details on it,
> so you're not even certifying the owner of the cert!)
Well, no. That's actually why certificates cost money and/or effort. And
CAcert also offers free server certs, but their CA root certificate is not
accepted by any major browsers at this time.
> whats to stop spammers setting up domains and signing emails?
The effort to get certificates that will be accepted would be one
barrier --- they couldn't use invalid sender addresses anymore --- plus the
ability to revoke certificates used to send SPAM.
> You still need to check if that domain / account is used for spam
One problem with IP blocking is that you have to block or allow based on the
IP address of the SMTP relay, not on whom is the actual sender. Signed
e-mail provides a much more selective scalpel.
> if you are doing the checking on the mail servers, why not verify the
> relaying servers address, not the email's domain.
That is a typical RBL approach. We already do that, as (in)effective and
coarse as it is.
> This eliminates the pain-in-the-ass for people like me who send
> email through several different servers / mail clients.
Signed e-mail solves that problem. Signed e-mail also permits delegation,
e.g., eBay wants to allow someone to send e-mail on their behalf. They can
provide a signing key to that third party to use for the purpose, and revoke
it after the campaign.
> people working for certification authorities arnt going to come
> up with a solution that doesnt require a paid for certificate!
You are categorically wrong on this issue, as discussed above.
--- Noel
