> -----Original Message-----
> From: Dean Brooks [mailto:dean@iglou.com]
> Nobody has to buy a SSL cert if they dont want to. They
> simply use their
> ISP's mail server, which is almost assuredly a better choice anyway
> for most smaller organizations.
Maybe, if the ISP lets them use their own domain name. But it's not clear
to me that that route will work with SSL authentication -- won't mail from
foo@??? have to match a bar.com SSL certificate? (And if not, what
exactly are you authenticating?)
> Nobody would be forced to buy a cert for their mail server,
> but if they
> want to communicate with the participating ISPs, they would have to
> pay to play.
That's what I object to. You're giving a small number of big companies the
power to control who can and cannot send email. That's ripe for abuse. Do
you really want Verisign deciding if you can send email or not? What if
your company criticizes them? What if you undercut their hosting prices?
You might find your "license to email" has been revoked! Meanwhile the
spammers will still get through, by stealing credentials from someone else
or compromising sites that have valid certs.
