Hallam-Baker, Phillip wrote:
Correct which is what the current blacklists do. It is upto you to
figure out whose opinions you trust. An accrediation service
for someone, a reputation service is stating an opinion of
reputation. The two things are different.
Absolutely not. An accreditation service is simply stating a fact, any fact
at all about the subject.
Ok, I will accept that (although somehow whenever I think
"accreditation" I am getting a knee-jerk reaction that it will
automatically cost money).
So what we have is as follows (I think):
1. MTA identity.
2. Domain identity.
3. Sender's identity.
And now different accreditation services that provide facts about that
subject in two situtations:
1. The sender/MTA/domain explicitely states that it is accredited with a
2. The receiver uses an accreditation service to obtain information such
as reputation about a specific subject without that subject telling the
Several things bother me here. First of all, the MTA, sender and
sender's domain are different identities and require different
mechanisms. The MTA might want to advertise accreditation with ESMTP or
DNS, while the domain or sender might want to do so via an email header.
Second, checking multiple accreditation authorities with a more
complicated syntax slows down the filtering process.
Third, checking accreditation on per sender basis slows things down even
more and allows for a DDOS attack against the accredidation authority
and the receiver.
The whole point of introducing the term was to serve as a more illustrative
name for what in SAML are called 'attribute assertions'.
An interesting thought - can we use SAML for exchanging reputation and
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"One who watches the wind will never sow, and one who keeps his eyes on
the clouds will never reap" (Ecclesiastes 11:4)
Asrg mailing list