Revising the Internet Email Infrastructure

← Back to Stories (view on slashdot.org)

Revising the Internet Email Infrastructure

Posted by michael on Thursday May 8, 2003 @07:42AM from the starting-over dept.

Lauren Weinstein writes "People For Internet Responsibility (PFIR) today released a white paper aimed at starting discussion and work to fundamentally revamp Internet e-mail systems to control spam, forgeries, and a range of other problems, while empowering e-mail users rather than ISPs." Excellent start.

3 of 311 comments (clear)

Min score:

Reason:

Sort:

PIT/PCA Questions by Hayzeus · 2003-05-08 07:55 · Score: 5, Interesting

I may be wrong, but what, exactly, is to keep spammers from becoming their own PCA? Why can't they simply generate PITs willy-nilly?
Sure, ISPs can block PITS from unsavory PCAs, but what stops spammers from creating new, bogus PCAs as needed? If there are only a few "recognized" PCAs, doesn't this tend to concentrate power into a relatively small set of entities?

--

Roving Web-Teleoperated Robot
Like all PKI schemes... by stevens · 2003-05-08 08:01 · Score: 5, Interesting

...it lives and dies by the efficacy of the CAs. If the CAs suck, then the credentials they send with email mean nothing.

I like the idea, but I wonder which sort of orgs are going to be their "PCAs"? ISPs pretty much allow any comer onto their network, so giving all users a cert wouldn't stop people from making temporary accounts for spam.

Perhaps the ease with which MTAs could cut off CAs (like cutting off domains) would help give incentive to ISPs (or whoever is the PCA) to crack down on their customer base, but that strategy is only marginally successful today. Why would creds make this strategy any better?

Perhaps MTAs would be harder to config as open relays, because authn is required. But what percent of spam comes through open relays? If it's a big percentage, then this may help.

Has anyone analyzed this scenario? I'd like to hear some informed thoughts on what sort of email regime we could expect if this were implemented.
Re:This is a total dead end. by Xentax · 2003-05-08 08:20 · Score: 4, Interesting

I dunno -- when I read the paper, one big group of candidates that came to mind as potential PCAs are those very same end-user ISPs.

That is, when you sign up for dialup, or broadband, or whatever services your ISP provides, you'd get access to their mail server, *including* Pits certified by that ISP for any messages you send via their mailservers (given that you authenticate with them, something POP3 and IMAP already support, right?). It certainly keeps a fair amount of control and influence in the hands of that ISP, but it doesn't *preclude* alternatives, and it WOULD make it easier for those ISPs to follow good/friendly practices.

That way, any other ISP/mail provider who is willing to receive emails from *YOUR* ISP would deliver your mail. Should your ISP get a reputation for harboring spammers or other miscreants, any given mail provider can choose to simply reject your ISP as a valid certifier (or subscribe to a RBL-equivalent watchdogging the various PCAs, perhaps).

Obviously an ISP as your (or one of) your PCAs wouldn't be for everyone. Obviously there'd be a bit of a setup challenge, as far as getting various ISPs and other mail providers to recognize each other as valid PCAs. But those aren't insurmountable problems.

In fact, it sounds a lot like the SSL certification system (probably no coincidence). Hierarchical PCAs would certainly be one way to organize the solution...

Xentax

--
You shouldn't verb words.