[Asrg] Cert-based Spam Fighting (rant)

["Justin B. Newman" <justin.newman@binhost.com>]

> For the purposes of fighting spam the following configuration would be
> sufficient:
>
> 1) Alice's client generates self signed cert
> 2) Alice's client uses DNS srv to discover XKMS service for email zone
> 3) Alice's client registers certificate with XKMS service
>
> 4) Alice sends email to Bob
>
> 5) Bob's client looks up policy of Alice's DNS zone, it is always
> authenticate
> 	using S/MIME, no root key specified, XKMS service specified.
> 6) Bob checks that message is signed correctly
> 7) Bob retrieves Alice's self signed cert via XKMS locate
Has anyone here suggesting the use of certificates in fighting spam 
done an S/MIME interoperability testing?

<rant>
I'm all for the use of PKI to solve the world's problems... but... 
the fact is that the current implementations of S/MIME in off the 
shelf email products is worse than any implementation I've ever seen.

I'd seriously recommend that folks interested in utilizing PKI first 
survey the industry's capability of providing a PKI-based solution 
that works.  How many websites do you hit with IE/Mozilla throwing up 
its hands about a bad certificate?  Is it the site's fault or the 
browser's?  Usually the site's.  That said, have you ever tested the 
cert chain following capabilities of the browsers?  Talk about a 
buggy area.

I won't even go into certificate revocation issues...

</rant>

-jbn
(Former/Recovering PKI Implementer)


_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg