Szerző: Phil Pennock Dátum: Címzett: Murray S. Kucherawy CC: exim-users@exim.org, technique@dreamhosting.fr Tárgy: Re: [exim] problem : x-vbr=hardfail
On 2011-05-12 at 15:47 -0700, Murray S. Kucherawy wrote:
[ quoting Phil Pennock: ] > > So this just means that, for whatever "certification" organisations
> > altn.com is using when assessing via VBR, you haven't paid one of them
> > to be included.
>
> Right, and I agree it's not a concern unless someone you really need
> to reach implements VBR in some foolish manner. Not a cause for
> alarm, at least not yet.
[ This is veering off-topic for exim-users, so ideally we'd use a
different forum, but I'm not aware of a good mail-policy discussion
forum for longer-term thinking, so I'll continue here for now, in the
hopes that this remains constructive ]
If absence from a VBR list ever becomes a significant cause for concern
by postmasters then Internet email will have become a system where we
have to pay third party gatekeepers for permission to mail each other
privately.
I sincerely hope that this is never the case.
So if the absence becomes a cause for alarm, then that fact should be a
cause for meta-alarm.
I can see an approach of "well, you don't use VBR for pre-established
contacts, only for new contacts" but that allows for third-party
tracking and analysis of who talks to who, when contacts are set up,
which is itself a cause for alarm in any privacy-conscious culture.
Further, I predict that this itself would be the inch given that leads
to a mile taken, after which the lobbying organisations who specialise
in running third-party assurance providers would lobby in some major
jurisdictions to make the receiving postmaster liable for the
consequences of spam received if it wasn't vouched for, which
effectively kills off all non-VBR usage.
Given the track record of the PKI for TLS, it's clear that serious
lobbying and standards-body-control is used to pressure towards
standardising on only one body being able to vouch for a given
communication and attempts to change that are diverted into
privacy-compromising solutions, such as "have the web-browser send the
server a list of all trusted CAs".
I don't see any serious good coming from widespread deployment of a
system which makes third party organisations be global gatekeepers of
private communications. Local gatekeepers, such as paying an ISP or a
mail specialist provider or anti-spam service provider, these work well
(and Cloudmark is successful here, I believe?). But scaling control
infrastructures up to national or global levels is a fundamentally bad
plan.