From the point of view of effectiveness on spam control, it's probably
worth distinguishing two classes of features that might appear in such
consent declarations.
There are the relatively easy things: whether I accept HTML
attachements, size of email, etc. In general, those things which can
be checked (and therefore enforced) automatically.
Then there are the things that (alas) don't seem to be automatically
enforceable: for example that I won't accept any commercial email,
that I won't accept any commercial email except about getting larger,
firmer mortgages for septic tanks.
The former would be useful, but I'm doubtful that it would have much
of an impact on spam. The latter seems to me to rely on the sender
accurately tagging their messages according to content---possibly that
would happen often enough that it would be worthwhile, but I'm not
sure that it would.
I'm not sure about this, there seems to me (at the most general) to be
only one class of things that need be asserted in a consent expression: How
this message is classified by some engine. Your second class seems to me to
be the sort of thing that's routinely handled by content-filters
(imperfectly, I grant you).
So rather than saying:
1. message has html => noconsent
2. message mentions 'septic tank enhancement' => consent
3. message is from grandma => consent
4. message has valid consent token => consent
5. message has blacklisted source IP => noconsent
etc ...
You might say something more like
positive_test(name_of_engine_1, engineargs, message) => noconsent
positive_test(name_of_engine_2, engineargs, message) => consent
etc...
So your consent expression is a bunch of assertions which can be
evaluated at a policy-enforcement-agent if it has access to the
classification engines you specify.
Might be something like:
positive_test("spamassassin-like-engine",
"version>2.50"
"com.connectisl.myusername.ruleset",
"level>5.0",
message) => noconsent
positive_test("recipient_whitelist",
"jrk(_at_)merseymail(_dot_)com",
message) => consent
Are consent expressions only a means of carrying information from a
recipient-entity to a policy-enforcement-entity? Or are they for publishing
a statement to the world at large?
Are sending systems (paid for by the sender) likely to do
policy-enforcement for a remote recipient? Intermediate systems? Would a
global expression still have utility even if not acted on globally (as a
record of the recipients policy)?
Also, does a consent expression creator need means of determining
capabilities of the enforcement-agent that's the target of the
consent-expression?
--
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg