[cap-talk] can one use capabilities to stop spam without identity?

Mon Jan 22 02:32:32 CST 2007

Rob Meijer wrote:
> On Sun, January 21, 2007 13:52, Matej Kosik wrote:
> 
>>> What do you think?  It requires identity.  For human to human
>>> communication, this
>>> might be OK????
>> Such a scenario is possible but I do not see how it could shield Bob
>> from spammers. Spammers can create a script that create zilion
>> identities and send Bob zilion different requests for capabilities to
>> writing to him. This would not help Bob because
>> - if he grants them, he will receive zilion messages and then he must go
>> though them and sort useful from useless and one by one revoke those
>> issued capabilities.
>> - if he does not grant them, then he lives in its own closed world. This
>> is very simple but makes the system unusable.
>>
>> I see no better solution as it was described in the Marc Stiegler's
>> book. You do not have to care who is writing to use in advance. This way
>> you can treat all people in the same manner. You are protected from spam
>> and if you are polite others (if they send you non-spam) will not lose
>> their money.
>>
>> Concerning the need of identities:
>>
>> Identities are here to discriminate among people without physically
>> meeting them. That is useful for
>> - revealing how much trustworthy is the other guy with which you want to
>> do some business (sell him something, buy something from him)
>> - revealing how much trustworthy is the journalit whose articles you
>> want to read
>> - revealing how much trustworthy is the politician wants to be elected
>> by you (voting for anonymous faces in the communal politics is a
>> terrible option)
>>
>> The book sketches a scheme similar to a web of trust in which anyone can
>> build its own identity/ies.
>> --
>> Matej Kosik
> 
> The use of identities for spam 'should' imho be that if done right it
> should assure that one person only holds one identity, thus limiting the
> scenario
> abouve. I feel that the validation process that CACert.org uses might proof
> rather usefull for these purposes.
> If Alice would use her CACert certificate to sign her communication
> request, Bob could use his certificate to sign this request. The signed
> request could
> after this actualy act as a delegatable capability both to send mail to
> Bob as to send mail to Alice. There are some more details to adress, but
> basically it could work almost as simple as this.

These mechanisms could help Bob if:

# there were a single certification authority (for example CACert)
which everyone would use (if not, the certification authorities would
devide people into disjunct subgroups that cannot communicate without
the threat of being spammed)

# there was a list of spammers

Then Bob would know whether or not to grant a permission to someone.

Do you think these two preconditions can be fulfilled?

Regards
-- 
Matej Kosik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20070122/413e8c65/attachment.bin 