[PLUG] Spam, Etc.

[Paul Heinlein]

On Sat, 21 Jun 2003, Jason Van Cleve wrote:

> > It just smells like bureaucracy.
> 
> Of course it does, but does that make it a bad idea?  Anti-spam laws
> are going into effect, and that's bureaucracy as well.

No, it's law enforcement. It's one thing to identify and prosecute
people who commit crimes. It's a whole different thing to build a
preventative infrastructure to keep that crime from happening in the
first place. The bureacracy needed in the second instance is an order
of magnitude larger than that needed in the first.

> You wouldn't have to prove the cert' was yours, because you will
> have registered it.  So it's basically the same thing as someone
> getting a hold of your wallet, isn't it?  You find out about it, you
> cancel your old key, you get a new one.

Hmm. So some agency, somewhere, would have to

a. Keep a hard-copy record of which keys are registered with which 
   people and/or groups of people (corps, non-profits, government 
   agencies, softball leagues, etc).

   Considering the millions of people in this country who rely on 
   e-mail for communication, this involves a staggering number of 
   employees and huge amount of real-estate (those records have to be 
   kept somewhere). Since we're talking about identity, we're talking 
   about legal, signed documents -- not just electronic copies.

b. Have a process in place whereby an agency employee can validate 
   that a certain individual is qualified to purchase or revoke a 
   key under a given name or corporate identity.

   This implies a 24x7 coverage whereby I could walk into an agency 
   office while on vacation in, oh, Montana, and report my key as 
   stolen. The staff there could *immediately* get a legal copy of my 
   original request and verify that I indeed have the signature and 
   other legal documents necessary to prove that I'm qualified to 
   revoke a key under my name.

   VeriSign does this sort of thing now, but its primary customers are 
   organizations with professional managers and admins.

   Their costs would skyrocket, however, if their clientele was 
   suddenly not Generic Corp., but Joe and Jane Generic. It's 
   difficult to steal the cert verifying www.usbank.com. Stealing the 
   certs of the non-tech-savvy people you want to protect is a 
   relative piece of cake.

c. Have a near-instantaneous way to propogate or revoke a key.

   Contrary to your reply, this is *not* like DNS. DNS records are 
   distributed, but cached copies are regularly out of date by at 
   least a few hours, and perhaps by a few days. That might be 
   acceptable for a hostname, but it's certainly not for personal or 
   corporate identity, particularly if there's fraud involved.

   The credit-card companies are the only agencies that have a 
   consumer-oriented anti-fraud infrastructure that even begins to 
   have this sort of responsiveness -- but they're funded by high 
   interest on consumer debt. I laugh at the chance that you'd be able 
   to rally public support for a tax or fee structure that could 
   generate even a small percentage of that level of funding.

d. Have a process in place whereby keys are expired regularly.

e. Have procedures in place to reduce the likelihood that a rogue 
   employee or group of employees could defraud the process.

   This means more bureaucracy and less efficiency. A lower effiency 
   rate would have to be built into the system to guarantee that the 
   watchers are watched.

f. Maintain a distributed server farm capable of storing accurate 
   records for millions of citizen, with an effective 100% uptime for 
   both systems and network connectivity.

   Have you priced Akamai's services lately?

g. Maintain said distributed server farm with a near impeccible 
   security record. Trust would be everything in this situation. The 
   costs would include physical security, electronic security, and a 
   well trained (and therefore probably well paid) set of network and 
   system administrators.

   Oh, and those admins would have to devise a system so that keys 
   couldn't be harvested in the same way that e-mail addresses are 
   now. I mean, if the keys are publicly available, what's to stop a 
   spammer from just harvesting the keys?

> I'm thinking with a public key system, the private keys wouldn't be
> stored there, so they couldn't do much harm.  It would be like that
> attack on eight of the root DNS servers a while ago:  largely
> inconsequential.  When the identity servers are down, emails don't
> get validated.  No biggie.

So you're a contractor, and your bid doesn't get to your potential 
client in time because the identity server is down. Is it still 'no 
biggie'?

The cost of maintaining a public electronic identity-verification
system would be huge. The thing is, regardless of whether the system
was 'opt in' or not, only the costs associated with point a. would be
lower with fewer people registering keys. The rest, b. through g., 
would still have to be paid for and maintained regardless of the 
number of poeple who opted into the system.

--Paul Heinlein <heinlein at attbi.com>