[ih] what is and isn't the web, was Rise and Fall of the Gopher Protocol
paul at redbarn.org
Mon Aug 22 09:17:03 PDT 2016
Stephen Casner wrote:
> On Sun, 21 Aug 2016, Dave Crocker wrote:
>> Telephone calls and postal service did not (and do not) require
>> authentication before the call completes or the message is delivered.
>> Email was design with the same level of authentication as the existing
>> personal communication services, namely none.
> And for telephone calls that is proving to be a serious deficiency.
when we created the first distributed internet reputation system (MAPS
RBL) there was considerable pressure to make it positive rather than
negative. this would have made the internet into a "gated community".
my problem with gated communities is that it's impossible for the girl
scouts of america to go door to door selling cookies. that may sound
subjective and/or trivial, but economies and communities and cultures
grow from roads moreso than from walls.
lack of authentication/authorization in smtp is a small matter compared
to the lack of source address validation on packets themselves,
considering that dns and ntp and other udp protocols, and tcp itself
during the first two phases of the 3-way handshake, are stateless and
therefore perfect ddos amplifiers.
in other words the problems of untrustworthy parties connected to the
internet are so fundamental and so toxic that de-peering or other
disconnection is the only possible defense. adding authentication and/or
authorization to every internet application is so much harder that we
know it can never be accomplished.
More information about the Internet-history