Re: [Asrg] New take on emerging idea. (yet another C-R system?)
2003-04-10 14:24:44
On Thursday, April 10, 2003, at 01:57 PM, Kee Hinckley wrote:
At 12:52 PM -0700 4/10/03, Chuq Von Rospach wrote:
pull out a pen and make a minor change to the card, and the user now
has an address that's pre-whitelisted.
If you can do that in your head, then the spammer can certainly figure
it out. No?
Depending on how it's done, it could be open to dictionary attacks. You
wouldn't want system-defined standards here, just a way to create
layers of addresses. Still better than what we have now, but there's
clearly a tradeoff between ease of use and how secure it is. Details
TBD.
Also, keep in mind the sender's system. When you give people an
address, they have this nasty habit of actually remembering it. They
put it in their address book, they put in their paper note taking
system. They put it in their database. If I need to shunt them to a
permanent address, I need an easy way to do it.
noted for later reflection.
register for Apple eNews with only whitelists the apple.com domain,
the first time you get email using that registration token, it
changes the whitelist to that address, not the entire domain.
Would that actually work? I know a lot of my Apple email seems to
come from different addresses, but I couldn't swear as to which
subscription caused which one.
It would, I think, and the confusion you bring up is one reason why I
mentioned this. It goes back to the layers of consent. Subscribing to
one newsletter doesn't imply subscribing to all, or to other marketing
stuff, or... So once you know what addresses what you asked for are
coming from, you want some way to know if you're getting other stuff,
too.
set up your amazon.com account that accepts email from all of
amazon.com, but only if the email relays in from a defined netblock.
Great until they contract something out to mx0.net or some such.
again, it's the company's responsibility to deal with this, IMHO. set
the expectations, warn about changes, or deal with the consequences of
not informing users what's going on. I consider this a feature in that
it tells you what is being done so you can make a decision whether to
accept it. It makes it harder for companies to do "consent creep" on
you, because you can, to the level you care, set up your permissions to
enforce it.
the nice thing is a system like this can be built simple enough for
MY MOM,
As you just described it I'd be real reluctant to try and pitch that
one to my mother.
As I have it in my head, I would. but there's a lot to be noodled out.
But my model is basically how mail.app on OS X does spam processing.
For the individual on a cable modem or home DSL, it doesn't have to get
too fancy or complex. So for the "individual" system, the idea would be
to generate functionality that could be used within the context of a
GUI MUA without lots of geekiness. Worrying about more complex stuff
will go into the organizational whitelisting system, or some hidden
wizard mode for some stuff.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
|
|