[ih] what is and isn't the web, was Rise and Fall of the Gopher Protocol

[Paul Vixie]

Stephen Casner wrote:
> On Sun, 21 Aug 2016, Dave Crocker wrote:
>
>> Telephone calls and postal service did not (and do not) require
>> authentication before the call completes or the message is delivered.
>> Email was design with the same level of authentication as the existing
>> personal communication services, namely none.
>
> And for telephone calls that is proving to be a serious deficiency.

when we created the first distributed internet reputation system (MAPS 
RBL) there was considerable pressure to make it positive rather than 
negative. this would have made the internet into a "gated community".

my problem with gated communities is that it's impossible for the girl 
scouts of america to go door to door selling cookies. that may sound 
subjective and/or trivial, but economies and communities and cultures 
grow from roads moreso than from walls.

lack of authentication/authorization in smtp is a small matter compared 
to the lack of source address validation on packets themselves, 
considering that dns and ntp and other udp protocols, and tcp itself 
during the first two phases of the 3-way handshake, are stateless and 
therefore perfect ddos amplifiers.

in other words the problems of untrustworthy parties connected to the 
internet are so fundamental and so toxic that de-peering or other 
disconnection is the only possible defense. adding authentication and/or 
authorization to every internet application is so much harder that we 
know it can never be accomplished.

-- 
P Vixie