Now that I have FeedDemon, I've been able to catch up on what's happening in some more blogs. Where should I start?
James Kobielus has been doing some interesting stuff. You may remember we had a little spat where he bonked me for my “cypherpunk ways”. Is there such a thing as a “bad blog day”? Anyway, the truth is we agree on a lot more than we disagree on – and he has written very cogently about the issues I am passionate about.
There's a lot of ground to cover, but today I'll talk about his recent post on email as federation. He says:
Internet e-mail has been a federated messaging environment for quite some time: that’s been key to its success. I define “federated messaging” as “messaging domains that establish trust relationships under which they can choose to accept each other’s messaging assertions and honor each other’s messaging decisions – or reject them – subject to local policies.
I like this, though I would add that the key to early success seems in retrospect to have been that everyone chose a policy of “whatever” – or “no policy“. Who configured a security policy in SMTP back in the eighties or even the nineties?
Then he points out – and I really like this – how the essence of the messaging problem is the identity problem:
Federated messaging depends on a constrained variety of federated identity—in this case, each mail domain being able to register, vouch for, and manage its own mail identities (e.g., firstname.lastname@example.org).
So I like the framework James proposes, though as far as I can tell, we are only beginning to move toward email relationships based on proactive policies employing federated identity. In fact we've only gone a few inches (or maybe centimeters) in the right direction.
An example of progress? Well, some corporate SPAM filters are now designed to accept mail from known partners and servers – those with whom there is an established pattern of communication. Meanwhile they may apply extremely stringent controls to mail from unknown parties. And more recently people have begun working on designing and deploying “edge servers” that use cryptography and more formal trust relations.
But aside from these late initiatives, made necessary by goops of SPAM clogging our communications channels, hasn't SMTP messaging basically been a free-for-all with an identity system drastically weakened by its lack of authentication?
It's not as if we didn't know better. The 1988 X.400 specification had thoroughly captured all the issues (except, er… usability) and responded with a rigorous (some might say authoritarian) design. A bunch of people, like me, had even implemented systems based on it that worked. But in practice, the very necessity of establishing relationships between domains (federation) and the business models of the federators (e.g. – at the time – various telecom players) made X.400 look lugubrious and heavy-handed in comparison to the bottoms-up do-your-own-thing of SMTP.
I sure saw the writing on the wall. The score was to be Simplicity 98, Security 2. And we need to learn from this outcome, because the factors shaping it continue to apply even as we come, at the social level, to understand more about the need for privacy (of which protection from SPAM is an aspect).
So I'm not quite as pessimistic as James when he says:
Messaging federation, it seems, hasn’t deterred identity thieves in their efforts to grab identities scattered all over kingdom come. Instead, it’s made them more ingenious, creating a widespread directory-harvest-attack infrastructure. Lots of machines throughout the cybershmear are trained to raid the many mail-directory honeypots for unprotected spammunition.
I think the attacks he enumerates result from the lack of authenticated federation, rather than being caused by it. And I think our Unifying Identity System will in the end be the most significant contributor to solving these problems (there will also be short-term tactics that play a role as we get from “here” to “there”).
It was predictable that SMTP would triumph over X.400 in the early days of electronic mail because of its ease of deployment and use. It was predictable that this very ease of deployment would lead to the ravages of email SPAM. And it is now predictable that new identity-based technologies will arise to solve the problems of which SPAM is actually a mere symptom. Again, these are all examples of objective dynamics – from which superior architectural principles did not shield us.
James closes with two darn good questions about the inevitable attacks on the emerging identity infrastructure – questions which should not leave our minds for one second:
What form will they take? How can we nip them in the bud?