On Sun, 28 Aug 2005 11:29:51 +0200, Sander Devrieze
<[EMAIL PROTECTED]> wrote:
Op zondag 28 augustus 2005 00:31, schreef Tijl Houtbeckers:
The point is, if you're just gonna introduce accountability there is no
point as long as our XMPP network itself has such low standards of anti
spim measures and spim related techology (eg. spim detection: I
seriously
doubt any automated spam detection will work very well on spim).
The authority might require you for example to fix or disable in band
registration before it gives you a certificate. Another requirement
might be
that you deny access to your server from spimming people. Remember that a
server will not be blacklisted immediately when some user of it starts
spimming; it should be a structural spim problem: many spim and no
actions
from the server admin to solve the problem after other servers pointed
the
server to the problem.
Well, what CAs traditionally do is make sure the certificate they provide
you with is acountable. Once you have that, you can use it to proof your
identity to people (up to a certain point of course). If you expand the
role of the CA to become the policer of a community and make it
responsible for white/black listing servers or even other other CAs you're
no longer talking about an open network. You're in fact centralizing the
control into an organisation, "federation" if you like.
I don't have a problem with that, if people want to do that, that's fine.
However, I'd rather see them use this to raise the level of trust between
certain servers, not to exclude everyone else. So while it's fine what you
suggest, I think (imho) it's naive to assume this is the solution to all
our problem. The "darwin" effect in such an orginization will not just be
who's best at blocking spim, but also power, money, infuence etc. (in
other words, politics).
In short, I think introducing accountability for servera (by
certificates
or another method) is overrated as a solution for combatting spim (or
spam). All it does is take the problem one level up (to servers) from
where it really comes (users), which seems fine till the spimmers come
in
and suddenly a whole server gets blacklisted (and you see the problem
also
propagates to the next level). Same when you take it yet another level
higher (whitelisting CAs).
I don't agree. If the server admin takes actions to solve the spim, he
*never*
will loose his certificate. If he is blacklisted because he did nothing,
he
is punished as he will loose users. If it is a commercial server less
users
means less earnings. So it is the money that finally drives them to be
very
hard for spimmers and help us with techniques to fight spim.
A good admin might never loose it (I wouldn't be that sure (see above),
but let's assume this). What about a good user? If I'm a good user on what
once was a good server with a good admin. Then they hire a worse one,
(s)he fucks up, and now I can't communicate with my friends? Why? Cause
you pushed a problem that comes from users, bad users (spimmers), and
pushed it to the server level. Same as the original idea of whitelisted
CAs (though you seem to agree with me on that now). What if I'm a very
good admin, I get a certificate from some form CA. Later that CA wants to
make more money (VeriSign? :P) so they decide to skimp on checking their
users and issue a bunch of certificates to spimmers. The CA gets
blacklisted, and suddenly my server (and all the users) can't communicate
anymore?
In fact, I can accept all those things ("federations" of trusted networks,
policing "CAs", etc.) as long as when my server (or CA) suddenly gets
blacklisted, or if I in fact don't want to belong to any of them, I can
still communicate with them. *Certainly* with the users already on my
roster that have me in their roster, but I should still be able to add new
users too. There can be a "price" for this, maybe the other server will
send me some kind of test, or maybe it will even require me to have some
kind of registration on that server, and maybe it will not require those
things if I can automatically (transparently to the other user) establish
there is already a trust relationship between us. Or any other things we
can think of..
With this, it is possible for a server to garantue to their users a
certain level of reliability and quality regarding the identity of the
other user that tries to contact them, regardless of whether that user is
on their own server or from somewhere else. If we can offer that to
Google, why would they refuse?
I personally think these techniques are the most important for building a
reliable, truly open network. If they work well, the need for a
"federation" or something else that decides who can and can't be (trusted)
on the network might not even be so great. (though it could still have
it's uses)
_______________________________________________
jdev mailing list
[email protected]
http://mail.jabber.org/mailman/listinfo/jdev
