On Thu, 10 Apr 2003 00:38:28 -0700
Brad Templeton <brad(_at_)templetons(_dot_)com> wrote:
On Wed, Apr 09, 2003 at 11:49:45PM -0700, J C Lawrence wrote:
People are free to run C/R systems.
Which doesn't answer the question.
To be more specific, since these are endpoint systems, they can be run
without much need for standardizaton on the other end.
I disagree.
One can imagine laying down some standards for other ends that would
like to do something special but it's not a big pressing demand.
Normally we would see some established implementations and look to
standardize there. If an MUA did challenge response, it could have
other copies of the MUA recognize and do "something" with the
challenge, though of course autoresponse is not normally the course on
turing test challenges.
I'm not interested in challenge formation, or even response type. Those
are things for individual implementors to deal with, not us. I'm
thinking of things like:
-- How does my MUA acquire a consent token?
-- How does my MUA send a consent token to someone else?
-- How are consent tokens established and exchanged for:
-- a list subscription via email
-- a list subscription via non-email (eg amazon, ebay, etc)
-- How are consent tokens maintained over time?
-- How are consent tokens revoked, and is that transparent to
possessors of that token?
-- How is a consent token requested?
-- Can specific lesser rights be requested?
-- Can a consent token request state or announce what/why the token
is being requested (contract statement)?
-- Can consent token requests be forwarded?
-- How can consent tokens be shared (someone forwards their copy of a
token to a third part for temp/one-time use)?
-- Can a consent token be used to generate a one-time valid consent
token for a third party? ("You need to talk to my friend...")
-- If a contract is made at token-request time, can their be automatic
enforcement of that contract, with revocation clauses? (ie what are
the contract nouns?)
-- What rights can be granted by a consent token, are there ranges and
flavours of rights, and if so what are they?
-- How can someone try and work thru a C/R system when they fail or
can't satisfy the challenge (eg foreign language, blind, etc)?
(ie can there be a hinting layer?)
-- To what extent can consent token processing be extended to or
shared by MTAs and LDAs as distinct from and separate from the human
user's client MUA?
etc...
Then once that lot and other related questions are answered we can look
at how consent tokens and requests can be encoded into email, what the
range of expression types are, etc. (plus addresses, Message-IDs, new
custom headers, etc)
Bubba email Bruce and Bruce replies (the simple case).
That should always work or you have a broken system.
Quite, but we have to remember that.
That includes however, that bubba mails bruce's alias, and the real
bruce replies. Ie. simply whitelisting bruce's alias is not enough.
Yup, that's a variation on the forward/bounce example I gave later.
Bubba emails a list and several list members reply.
This is under the "it would sure be nice" category, but in general not
as much of a mandatory.
I disagree but I also think this one can be handled fairly cleanly
without contorting anything.
You run the risk of spammers harvesting mailing lists and replying to
every message with some spam during the window, making it look like a
reply. Though that bridge should be crossed when we come to it.
Exactly. Realtime spamming remains a risk, and not one I think we can
handle at this level.
For private lists, this is more doable, and more desireable.
Yup, yea, and verily.
Bubba emails Boffo, Boffo forwards to Bernie, and Bernie replies.
I presume you mean not forward but what some mailers call a bounce...
Yeah. I keep forgetting that I'm talking to people who actually know
about mail systems.
... where it looks like the mail came from Boffo. This is similar to
the above. Nice to do.
I consider it identical to the alias case you first mention.
Easiest solution -- all private mail comes from an unfiltered address.
People get attached to their email addresses. JoeSixpack humans have
real problems with the mental distinction between role addresses (which
is essentially what you are advocating) and their personal identity.
I'd rather not go down that path if we don't have to.
You want to rescind consent to somebody or mail containing some token?
Just program your mailer to reject their mail. The rest of the world
does not need your consent to mail you, at least not for person to
person mail. This is a hard truth that some people in the anti-spam
community don't wish to embrace, unfortunately.
Excellent point.
--
J C Lawrence
---------(*) Satan, oscillate my metallic sonatas.
claw(_at_)kanga(_dot_)nu He lived as a devil, eh?
http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg