ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.)

2004-03-05 13:37:24
Anne P. Mitchell, Esq. wrote:

On Mar 5, 2004, at 11:39 AM, Yakov Shafranovich wrote:

I am not saying that they are used specifically by bad guys or people with bad prior reputation, but the main purpose of accreditation systems is whitelisting email that might not get through otherwise.


I'm going to excise this out and answer this specifically, because so much of the rest of your reply is predicated on this premise.


Thank you for the clarifications.

....
All of these, like a listing in IADB, say "the product bearing this accreditation has been proven to meet a certain set of standards as determined by the accrediting body."

It's your choice to determine what that means to you; I know very few people who would accept any of the above, *alone*, as the reason to choose the particular product, or accept the particular email. There are plenty of schools which are accredited to which I would not send my dog, let alone my child. Likewise plenty of products bearing the UL label which I would not take if you paid me, let alone spend money on.

But taken as a datapoint, matched up with other datapoints (in this case sender i.d., lack of presence in a blocklist - whatever criteria *you* choose), it's very useful.

It is, if you will, reputation once removed. If you trust Underwriters Lab then you take their seal at face value to mean "this product passes UL's requirements to bear this seal". If you trust ISIPP, then you take a listing in the IADB at face value to mean "this sender meets the ISIPP criteria".

Thank you very much for the clarifications. In my example, I used a letter of reference from a third party as a real world example which goes well with the example you are giving here of "reputation once removed".

I guess I would say that my concern is not with the accreditation concept itself but rather with how it is used. I agree with you that accreditation by itself is not bad if it is used properly, but what concerns me is a parallel to blacklists. Many blacklists say that you should not use them as the only source of information, but many ISPs ignore that and do it anyway. What I am afraid of is the same happening with with accreditation.

But I must say that I do not see this problem as significant with as it is with blacklists, especially in light of your comment about schools above. People will err on the side of caution in the anti-spam world, and they will never trust anyone fully for whitelisting, even you (of course it depends on how the major ISPs use it - if the big ISPs suddenly start using IADB as a single criteria for whitelisting, it changes things but that's not your problem). So, the likehood of a single whitelist system becoming trusted by a large percentage of the Internet is less likely than a blacklist.

Having said that, my original question is more relevant to blacklists and statistical systems - with any form of identity and reputation system, how can we prevent the same problems that haunt today's blacklists?

Yakov

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>