Justin Mason wrote:
I've been thinking about this. It might be useful to offer a plugin
implementing this hashcash, since it'd offer a good way to come up
with an unforgeable FORGED_MUA_OUTLOOK rule.
However, we'd have to be sure that the CSRI algorithm really is
sufficiently open, and not patent-encumbered, since this *is* MS we're
talking about :(
Indeed. I yet to see the IP part of the story. after all, callerId was
"open" too...
and I'll add few points:
- As Hamman and Matus said, and as already known, $postage is yet to be
proven effective in a zombie world. one thing that is known is that it
is unfair for legitimate bulkers. It is also globally suboptimal.
- If BCC results in separate mail, then an MSA will get more mail. not
critical, but this is not optimal. Also, there will be multiple
responses of the MSA. given that it is already confusing when an MSA
rejects few recipients (domain doesn't exist, .. etc), this will only
add to the confusion ("should I resend to everybody or only to few
people"...).
- if this becomes widely used, there is a risk that organizations will
require it, or at least setup different policies based on that. This
gives an unfair advantage to MS products. (after all, if everybody sends
"MS word" documents, it's because everybody believes that "everyboyd
uses MS word"...).
- outlook (and exchange) is a large pce of software. It had serious
vulnerabilities in the past. It is thus legitimate to think that there
may be serious bugs in the x-cr-* implementation. It would have been a
little better to implemnt the hash stuff in a standalone service (proxy,
...).
- Is there a problem with hashcash? why didn't MS chose it? If there's a
problem, it would be good to disclose it.
