Yakov Shafranovich wrote:
an overall consent framework
Yes, I'd like to see that framework... I think there are a
number of questions that should be answered by it:
What is the "language" of consent? When you consent, what is it
that you consent to? Or, when you withhold consent, what is it that you
withhold consent for? In simple systems, consent is binary and focused
only on senders. Either a sender may, or may not, send messages.
However, some have proposed that consent be granted in a much more
granular fashion. Thus, you should be able to consent based on a number
of attributes such as:
0. Identity of sender
1. Size of message
2. Encoding of message (character sets, HTML, etc)
3. Source IP (presence on white/blacklists)
4. From: header matches with sending server (i.e. RMX, etc.)
5. Presence of signatures
6. Presence of attachments
7. Rate of message arrival (i.e. only 3 messages per day per
sender...)
8. Words used in message. (i.e. no message using "bad" words)
9. Use of Multi-part MIME
10. etc...
The goal here should be to define the "language" of consent. To
show what can be said and perhaps understand under what circumstances it
is reasonable to say these things and what benefit can come from saying
them. Also, some attention should be paid to the issues of what can and
cannot be determined by a machine. For instance, a machine can easily
measure the size of message. A machine can also, in some cases,
determine what account was used to send a message. However, a machine
will not be able to determine the actual human who caused a message to
be sent. (not even with PKI, signatures, etc...)
We should distinguish between consent which is implied (by
reliance on some mechanism such as RMX) or explicit -- i.e. consent that
is expressed independent of the consent management mechanism in some
form like a "license to send" or a consent token.
Explicit statements of consent have interesting properties
especially if they are encoded in a machine readable form. For instance,
a simple expression of consent such as "I don't except mail that
contains the word 'Viagra'." can be used to parameterize the behaviour
of spam filters on the recipient's desktop as well as on upstream
processors such as the recipient's ISP's servers. One might even pass
such a statement to a potential sender. In one possible world, a sender
might have a pop-up in their editor that warns them that "Use of the
word 'Viagra' will prevent delivery of this message to one or more of
the current recipients."
An expression of consent might also serve as a license that can
be used by the sender. For instance, if I consent to receive mail from
you, you should be able to use some kind of a token or certificate to
ensure that your messages bypass interference by any filtering
mechanisms in the channel between us.
bob wyman
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg