Re: [IETF-PKIX] Certificate Directories and Spam

[Hal Lockhart <hal@xxxxxxxxxxx>]

At 01:30 PM 12/29/97 -0500, you wrote:
>>It seems to me that publicly accessible directories with certificates in
>>them, especially those with email addresses conveniently located in the
>>subjectAltName field will provide an irresistible source of targets to
>>Spammers.  The reason for raising this issue on this list, is that it seems
>>to me that if this does happen it could greatly retard the deployment and
>>acceptance of an Internet PKI.
>
>
>If this really is a concern we could include the SHA-1 hash of the email
>address in the cert rather than the address itself.

This is an intriguing idea, which sounds bizarre at first, but I can't
really think of anything wrong with it.

>I don't think this is very important however since there are already many
>ways for a spammer to get addresses, USEnet, mailing lists etc. 10 million
>addresses can be had for fifty bucks.

This is like saying "bread comes from the supermarket."  The people selling
lists need a source.

As far as the others go, the key difference is that today if you just send
email directly to other people, your address will not be collected.  Even
if you join a mailing list, your address will usually not be noted unless
you send a message to the list. (Yes, I know that some listservers allow
queries, but I believe this practice is declining.)

In contrast, if your cert is publicly posted, it will be simple to harvest it.

The latest trend being to flood
>mail servers with randomly chosen addresses in the hope that one or
>two in a thousand will get through.

I had not heard of this.  It seems like this would be trivial to block.  I
would be surprised if this tactic lasts for long.

Obviously, you do not literally mean "random".  It is fascinating to think
what the optimum strategy for guessing email names would be.  The address
space is very large, even assuming 8 character names, of order 10^13.

>I proposed a similar scheme for a refusal list. People could sign up on
>it and the list could be freely distributed to spammers without the danger
>that it would be used as a source of addresses. The problem is that
>the folk selling pyramid schemes, junk investments and the favourite
>- software to send SPAM have no interest in refusal lists.

I agree that no scheme that depends on the source can work.

>I think that the solution to the spam problem is likely to be legislative.
>The direct mail industry can fight it through the courts, libertarians
>can flame but the junk email is likely to disappear as completely as
>the junk fax did. At the very least the adverts for spamming services
>would go.

I am afraid you are dreaming, I see too many practical problems with any
kind of legal approach to work.  The parallel between email and fax is very
weak.  Spam will only stop if it stops working or becomes too expensive.

But this is getting pretty far off topic and I apologize to the rest of the
list.  We can debate this off-line if you wish.

I would like to hear other opinions.  Does anyone else think this problem
may discourage people allowing their certs to be publicly posted?  Have the
email or directory working groups discussed this issue?

Hal

=================================================================
Harold W. Lockhart Jr.            Platinum Solutions Inc.
Chief Technical Architect         8 New England Executive Park
Email: hal@platsol.com            Burlington, MA 01803 USA
Voice: (781)273-6406              Fax: (781)229-2969
=================================================================