Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.)
2004-03-05 13:37:24
Anne P. Mitchell, Esq. wrote:
On Mar 5, 2004, at 11:39 AM, Yakov Shafranovich wrote:
I am not saying that they are used specifically by bad guys or people
with bad prior reputation, but the main purpose of accreditation
systems is whitelisting email that might not get through otherwise.
I'm going to excise this out and answer this specifically, because so
much of the rest of your reply is predicated on this premise.
Thank you for the clarifications.
....
All of these, like a listing in IADB, say "the product bearing this
accreditation has been proven to meet a certain set of standards as
determined by the accrediting body."
It's your choice to determine what that means to you; I know very few
people who would accept any of the above, *alone*, as the reason to
choose the particular product, or accept the particular email. There
are plenty of schools which are accredited to which I would not send my
dog, let alone my child. Likewise plenty of products bearing the UL
label which I would not take if you paid me, let alone spend money on.
But taken as a datapoint, matched up with other datapoints (in this case
sender i.d., lack of presence in a blocklist - whatever criteria *you*
choose), it's very useful.
It is, if you will, reputation once removed. If you trust Underwriters
Lab then you take their seal at face value to mean "this product passes
UL's requirements to bear this seal". If you trust ISIPP, then you take
a listing in the IADB at face value to mean "this sender meets the ISIPP
criteria".
Thank you very much for the clarifications. In my example, I used a
letter of reference from a third party as a real world example which
goes well with the example you are giving here of "reputation once removed".
I guess I would say that my concern is not with the accreditation
concept itself but rather with how it is used. I agree with you that
accreditation by itself is not bad if it is used properly, but what
concerns me is a parallel to blacklists. Many blacklists say that you
should not use them as the only source of information, but many ISPs
ignore that and do it anyway. What I am afraid of is the same happening
with with accreditation.
But I must say that I do not see this problem as significant with as it
is with blacklists, especially in light of your comment about schools
above. People will err on the side of caution in the anti-spam world,
and they will never trust anyone fully for whitelisting, even you (of
course it depends on how the major ISPs use it - if the big ISPs
suddenly start using IADB as a single criteria for whitelisting, it
changes things but that's not your problem). So, the likehood of a
single whitelist system becoming trusted by a large percentage of the
Internet is less likely than a blacklist.
Having said that, my original question is more relevant to blacklists
and statistical systems - with any form of identity and reputation
system, how can we prevent the same problems that haunt today's blacklists?
Yakov
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.), (continued)
- Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.), Markus Stumpf
- Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.), Seth Breidbart
- Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.), Markus Stumpf
- Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.), Seth Breidbart
- Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.), Markus Stumpf
- Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.), Alan DeKok
Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.), Daniel Feenberg
Re: [Asrg] Re: 3b. SMTP Verification - Reputation Systems and their Problems (Modified by Anne P. Mitchell, Esq.), Yakov Shafranovich
|
|
|