ietf-asrg
[Top] [All Lists]

Re: [Asrg] 3. Requirements - Proposed Changes for Document

2003-11-14 12:31:15
On Friday 14 November 2003 11:36, Eric S. Raymond wrote:

 1.3.5     Challenge/Response System (RCD)

+A challenge-response system is a technique that requires a mail sender
+to authenticate itself by computing and returning an acceptable
+response from a piece of data presented by the receiver.
+Challenge-response authentication may be used to demonstrate that
+the sender knows a shared secret qualifying it as one that has the
+receiver's consent, or that the sender has paid a toll in
+computational or other resources for the privilege of sending to

Perhaps also worth mentionning:

!the receiver, or possibly in other ways not anticipated here.
!the receiver, or that sending the message required interaction
+with a human being, or possibly in other ways not anticipated
+here.

I'm thinking schemes where (part of) the challenge is an hard-to-ocr
image, the contents of which need to be part of the response.  A
scheme which is in increasingly common use on web sites to avoid
automated form submission but that I've yet to see used for
email C/R.

+Most users implicitly consent to receive non-commercial communications
+from individuals, and implicitly withhold consent to receive
+unsolicited bulk email.  Explicit consent to recieve solicited bulk
+email (e.g. mailing lists) is also common.

This finds itself paraphrased throughout the document, but I think it raises 
the usual concern about the definition of spam in general.  What about email 
of a commercial nature but sent to one or many users with the reasonable 
expectation that they will be interested?  Or manualy sent email of a nature 
where expectation of consent is unreasonable (Say, I pick the support email 
of some pro-foo web site and email them anti-foo hate mail)?

All that to say that...

 1.3.7     Consent Based Communications (RCD)

+An individual consent-bassed communication is one for which the sender
+has a justified expectation of consent by the receiver.

This sounds like a much more reasonable definition to me (minus the paraphrase 
that follows).  In fact, the whole "justified expectation" concept sounds to 
be like a very valuable premisce when trying to define spam in the first 
place.  Perhaps we should spend some brain cycles to refine it?

 1.3.8     Commercial E-mail (RCD)

+Commercial email is any electronic mail sent for the purpose of
+promoting a product, service or profit-making enterprise; or of
+soliciting a business relationship.

Yes, and that is part of my problem with the definition of spam as we usually 
know it.  If I send *one* email announcing my newfangled 
foo-manufacturing-tool to a list of businesses or individuals that I have 
collected from foo-manufacturing websites, I have a reasonable expectation 
that they might be interrested.  Indeed, I would doubt that the recipients 
would feel the message /was/ spam unless they started seeing multiple copies 
filling their inbox.

If I collect the email from a foo-related newsgroup, say, then my "justified 
expectation" is more tenuous.  It vanishes entirely if I buy a mailing list 
or spider randomly for emails from the web.

 1.3.25    Non Consent Based Communication (spam) (RCD)

+A non-consent-based communicatoon (idiomatically, spam) is one for
+which the sender does not have a justified expectation that the target
+will consent to receive it. Most users implicitly consent to receive
+non-commercial communications from individuals, and implicitly
+withhold consent to receive unsolicited bulk email; the justified
+expectation should be formed in light of this standard policy.

I'd just drop the bit about "most users".  I'm not sure it's helpful and it 
tends to partition spam into classes, which has always caused problems.

 1.3.31    Spammer (RCD)

+A spammer is a person or organization that habitually sends spam, that
+is email for which the sender has no reasonable expectation that the
+targets will consent to recieve it.

I'd use "reasonable" or "justified" throughout.  I would tend to prefer 
justified, myself, but alternating is confusing if the indended meaning is 
the same.

+Most users implicitly consent to
+receive non-commercial communications from individuals, and implicitly
+withhold consent to receive unsolicited bulk email; the justified
+expectation should be formed in light of this standard policy.

Again?  :-)  Even if we want to keep that definition of "default" 
expectations, it should probably be in one place only; otherwise they may get 
out of sync as we revise the document.

+1.3.38    Tumbler

Nice terminology.  Adopted.  :-)

 2.4.1     Rational:

Rationale?

Otherwise all very nice, IMO, and a very good foundation on which to build.

-- Marc A. Pelletier


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg