|
Jon Udell is excited that people are paying attention to spammers forging their identity:
Yes, yes, yes! Pardon my euphoria, but I'm really pleased to see such a thoughtful and seasoned observer as John Patrick linking use of voluntary digital IDs to spam control [...]
Jon ends with this:
Maybe now we'll start to get some triangulation around the issue. The key (pardon the pun) is voluntary use of IDs -- a culture of identity, rather than anonymity.
In my experience, very few people are actually using digital IDs. I exchange email with several bloggers, and none of them (myself included) digitally sign their email. I think we all agree this is bad.
One problem with digital signatures is that they only make sense when there's a web of trust that can somehow connect the information producer with its consumer. Various BigCo offer us the option to sign our identities for a fee. Then, if you get an email claiming "From: Ziv Caspi" having a digital signature, you can check that the identity the signature represents has been issued to one "Ziv Caspi" by a BigCo which (you trust that) really knows what it's doing, has verified Ziv Caspi's identify through a credit card number, etc.
As a side-note, there are at least two men called "Ziv Caspi" living in Israel (Ziv is not a very common name, thanks God). This means that if the other Ziv Caspi sends you email, and you are not careful to read the fine print in the certification, you might think that's me. However, that other one is far better known, so he should be afraid that I will pull that trick on him, not the other way around!
Is there a way to associate a digital identity with some other identity not through a BigCo? One that comes to mind is to use your own weblog to represent yourself.
Here's how. Suppose I put as part of my weblog (http://radio.weblogs.com/0106548/) a LINK tag that describes my identity (my name, public key, etc). This is similar to the way LINK tags are used to point to our RSS feeds, RSS subscriptions, and blogrolls. When you get an email from Ziv Caspi it will be signed as "Ziv Caspi, http://radio.weblogs.com/0106548/". You can then go to my site to verify that the "text identity" is not forged. (We could also have weblogs.com act as a certificate authority for all the sites it hosts, but that will probably cost a lot of money.)
Why does it work? It works because you trust that nobody will bother to hack my weblog just to send you spam. All ways to hack my weblog (hacking DNS, hacking the host site itself, forging my identity and uploading false files to the host site, or hacking my machine while I use it) are either difficult or must be done per-victim, reducing incentive for spammers to do so. If this is the first time you get an email from one Ziv Caspi, you can go to the indicated site and see that it is is a real person. If you know me, or think you will conduct a long exchange, you can cache my identity for the next time you might need it.
Bottom line is, digital identities (such as public keys) can only be associated with other types of digital identities (such as web presence). Today, digital IDs are associated with textual strings and a link to some BigCo. Tomorrow we might associate our IDs with our weblogs. This is just as good for spam-prevention purposes, and far more accessible.
Diclaimer: I am not a security expert. This post is based on my current understanding of how Internet security (in particular, certificates) work. If you find errors in the reasoning, please let me know.
|
