On Sun, 07 Jul 2002 18:07:15 -0700
Chuq Von Rospach <chuqui @
> On 7/7/02 5:41 PM, "J C Lawrence" <claw @
>> Yeah, we've been down that road on this list and elsewhere.
>> SMTP/TLS, reverse auth, PKI infrastructures, yada yada. A whole lot
>> gets solved by providing mutual identity verification/authentication
>> systems for distributed systems even outside of mail.
> Does it?
Agreed, "solve" was an overly aggressive and inclusive term.
> Assume for a minute...
Without full biometric and willing consent verification yada yada across
the transmission you can't guarantee full veracity, and even then there
are cheesy little holes along with the big one that really can't ever be
Not the point.
The root problem of solving the question of, "I really said that and I
meant to say that, and I am who I say I am," is explicitly unsolvable,
even in dreams. BUT we can and do approximate it. The old standards of
trusting a From: header was an approximation, and at that time an
acceptable and workable approximation. I'm sure most of us dinos had
fun at some point forging netnews posts and might of even had a giggle
with a forged gag or two. That didn't stop the system of basic trust in
From: headers from working as the percentages against it just weren't
Given that this is a problem that just can't be solved in any absolute
sense we're stuck with questions of acceptable approximations and thus
an arms race of keeping the degree of accuracy at least a smidge ahead
of the predominant Black Hat behaviour. That, specifically, is doable,
has been doable, and given my guesses will remain doable for quite a
ways yet. Yeah, the arms race is accelerating, but spammers are
interested in Very Large Number behaviours against small percentages.
That gives us, at the edge, some advantages.
> And all of that is wonderfully authenticated and validated -- and
> completely worthless. In practice, very quickly you turn back to
> blacklisting through IP addresses. Which is what we do now...
But it buys time, and that's the persuasive factor. Its a "good enough"
> If you assume the ability for an e-mail address to "roam", and there's
> no practical way to stop that, then there's basically no way to tell
> the difference between this piece of email, and a spammer's piece of
> email coming to you via some random open relay..... And since either
> one could easily have the magic cookie of a PKI or other auth
> structure attached, a PKI system doesn't solve the problem of spam
Yup, the same thing is true of digital certs/signatures tied to your
posting account. It pretty rapidly heads for external trust mechanisms
where 3rd parties attempt to ensure the veracity/non-abuse of a given
certificate -- and we all know the problems that walks straight into.
>> Any content that is used to render a message that is also not local
>> to the message can be used retro-actively as a web bug.
> [followed by a solid proof why you can't solve this problem with a
> geek solution....]
Ha! Thanks. I'm heading for that approximation bit again, especially
if I can make (most) weasel attempts fairly obvious.
>> A pillory can be a useful and educational thing.
> She is a witch! may we burn her?
Does she float? Wood floats! Burn her!
J C Lawrence
---------(*) Satan, oscillate my metallic sonatas.
nu He lived as a devil, eh?
http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live.