We agree on the necessity of verifying the sender address as a predicate to stopping spam.
> I said server based authentication of identity was good, you suggested 2 > failed standards for implementing this, and I pointed out why I thought > they failed. > > We could devise some other ad hoc server signed approach, or the IETF > > could put out an RFC tomorrow, but then we are still stuck with your > > "network effect" objection. > If Yahoo or AOL tomorrow said, "we will add this header, and you can use > this formula to confirm the message came from @yahoo.com or @aol.com," > then it would be immediately valuable. No network effect required. If you are satisfied with a fractional percentage of messages using such a technique, that is fine, but I would consider that the network effect. Its value is directly proportional to the percentage of messages using it. > people attributed lack of adoption because we didn't have a > "big enough scare" to make people adopt security. I think there is a good deal of truth to that. S/MIME hasn't caught on because it does not have zero cost, and requires at least a few minutes of effort to setup, so until people are smacked silly upside the head, they won't change from the status quo. Generally, most people couldn't care less if the address is authenticated or not. They just assume that it is, until they get burnt. They accept the risk because it is generally low. Until they are forced to care by changing conditions, they won't change. Even now, people will just look for other filters and chalk it down to exceptional conditions instead of systematic, intentional and increasingly sophisiticated fraud. I'm afraid that it will take an almost total failure of the e-mail system before people will deal with it. Another issue is that the very thing you want, which we can get from S/MIME, is something that other people don't want. I have maintained for years that anonymity on the net is what empowers the behaviors we find objectionable. Others believe that anonymity == privacy. > > I never do this with a mailing list, but for illustration purposes, I will > > sign this e-mail. > An excellent example of network effect. Nobody really cares about a > signature because the lack of it does not mean anything. So nobody > uses it, aside from the fact that it's a pain. Well, I don't do it because generally people don't care, and it doesn't work with an archiver (http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED] he.org&msgNo=7146&raw=true). And we've already talked about why most people lazily accept the status quo. In any event, if you want to propose a variation of S/MIME where we attach a signed digest made from some selection of the RFC 2822 headers, subject and body content (other than the digest part), and promote it, that's OK with me. --- Noel --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
