ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.)

2004-03-05 12:55:24
from [Anne P. Mitchell, Esq.] [Permanent Link] 

On Mar 5, 2004, at 11:39 AM, Yakov Shafranovich wrote:
I am not saying that they are used specifically by bad guys or people with bad prior reputation, but the main purpose of accreditation systems is whitelisting email that might not get through otherwise.
I'm going to excise this out and answer this specifically, because so much of the rest of your reply is predicated on this premise.
That is not what an accreditation system (necessarily) is, and it's not what IADB is. IADB is very specifically _not_ a whitelist (nor a blocklist) - it is, if you will, a colour-neutral list, whicih provides you with very specific datapoints. It's a companion to a sender-authentication check. Taking an accreditation check (such as to IADB) along with a sender identity check you know: 

a)  who the sender is
b)  that they really are who they say they are
c) that the source IP address is consistent with whom they say they are, and 
c)  that they have been found to meet a certain set of standards
The real world example of an accreditation is Underwriters Labs, or the Good Housekeeping Seal of Approval. Or that certificate in an elevator saying it has been inspected on such-and-such a date. 
Or a school being accredited.
All of these, like a listing in IADB, say "the product bearing this accreditation has been proven to meet a certain set of standards as determined by the accrediting body."
It's your choice to determine what that means to you; I know very few people who would accept any of the above, *alone*, as the reason to choose the particular product, or accept the particular email. There are plenty of schools which are accredited to which I would not send my dog, let alone my child. Likewise plenty of products bearing the UL label which I would not take if you paid me, let alone spend money on.
But taken as a datapoint, matched up with other datapoints (in this case sender i.d., lack of presence in a blocklist - whatever criteria *you* choose), it's very useful.
It is, if you will, reputation once removed. If you trust Underwriters Lab then you take their seal at face value to mean "this product passes UL's requirements to bear this seal". If you trust ISIPP, then you take a listing in the IADB at face value to mean "this sender meets the ISIPP criteria". 

Anne






_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.), Yakov Shafranovich
Next by Date:  Re: [Asrg] videos of the IETF BoF, william(at)elan.net
Previous by Thread:  Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.), Yakov Shafranovich
Next by Thread:  Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.), Yakov Shafranovich
Indexes:  [Date] [Thread] [Top] [All Lists]