ietf-asrg
[Top] [All Lists]

Re: [Asrg] Its all over for Challenge Response

2004-03-03 15:57:22
Dave Crocker <dhc(_at_)dcrocker(_dot_)net> wrote:
For the IETF, it is the _only_ argument.  Folks forget that we exist
to produce specifications that get used.  Not "implemented" but
actually used.

  I believe the original point was about roaming users sending mail
via SSH tunnels in an LMAP-aware world, where their dynamic IP wasn't
listed in LMAP.  They could then use SMTP over an SSH tunnel to send
mail via a machine in the domain, versus using naked SMTP themselves.

  SSH exists and has been widely deployed for years.  SMTP exists and
has been widely deployed for years.  There is no need for additional
standards work.  There is only a need for MUA authors to implement and
deploy existing protocols.

  Nothing in that process requires input from the IETF or any other
standards body.

[ incentive to upgrade ]

That is my point.  The nature and amount of incentive needed depends
on the cost and the benefit (along with a few other factors, of
course.)  Any scheme that proposed massive change needs to pay quite a bit of
attention to the both of these.  That requires detailed thinking,
not a simple handwave.

  I agree.  But when a proposal is being opposed, we similarly need a
cost/benefit reason for opposition, not a simple hand-waving of "it
will cost more than most people think."  Such arguments don't help
move the discussion forward, either.

AD>   And we already know that people who won't upgrade won't be doing
AD> anything to help solve the spam problem.  We can ignore any arguments
AD> about their needs, as they've already made their choice to accept the
AD> current situation.

That line of thinking is quite popular in the technical community, and
often even in the management community.  It accounts for a massive
number of companies' failures.  As well as standards' failures.

  I'm not sure how that comment is relevant to what I said.  I'm not
saying we deny them their needs, I'm saying that their anti-spam needs
aren't really relevant for input to the design of an anti-spam system,
as they chose not to participate in that system.

  In simple steps:

  a) If we design an anti-spam system which, by design, has zero
     impact on non-implementors when they interact with implementors,
     then it will also have zero impact on spammers.  (Who, by
     definition, won't implement it, or will implement it solely to
     abuse it.)

  b) If we design an anti-spam system which DOES require people to
     participate to get its benefits, then people who DON'T participate
     may not reap its benefits.

  c) That's OK, because they chose not to participate.

  d) People who don't implement an anti-spam system shouldn't be
     affected by it, unless they choose to interact with someone who
     does implement it.

  e) In that case we already know that communication is solely by
     mutual consent.

  f) Any anti-spam system MUST permit the implementor to choose to
     communicate with non-implementors, otherwise it is a draconian
     system, and will not be implemented by anyone.

  g) In which case, everyone is happy.  People who implement it will
     reap the benefits with other implementors.  People who don't
     implement it won't have their interaction with non-implementors be
     affected.

  The interaction between the two groups is solely at their own
discretion, which means local policy, which means it's outside of the
scope of ASRG & the IETF.

  I hope that makes my intentions clearer.

  Alan DeKok.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg