ietf-asrg
[Top] [All Lists]

Re: [Asrg] ASRG session at IETF

2006-02-23 14:07:46
On 23 Feb 2006 03:52:01 -0000, John Levine <asrg(_at_)johnlevine(_dot_)com> 
wrote:
* Interfaces to reputation systems

the Tagging standard could be used to define a standard way to include
reputation data in e-mail headers

Maybe I'm dense, but why would anyone care about alleged reputation
data that a sender included in his own headers?  It only makes sense
for recipients to check reputations of incoming mail.

The tagging paradigm is, an intermediate stop along the way adds the tags.

That is why forgery prevention is so important to the tagging discussions.

Spamassassin, a working tagging engine, throws out spamassassin tags
that are on the messages it processes.  Throwing out existing tags that
you are an authority for is one possible approach when you (as a tagging
engine) encounter your tag in the input.  Another is to mark that tag as
pre-existing.

I hope that takes care of the misunderstandings I perceive in your question:
tagging is not about unverified claims made at origination time, but is about:

(1) centralization of authoritative declarations
(2) verification of authenticity of (1)

The other possible misunderstanding is that senders aren't the only ones
who can add headers.  Headers can be and are added at any intermediate steps.

(1) can be and is done today by anything -- such as SA -- that adds some
information in an e-mail header.
(2) is tricky, and requires a consensus or at least a near-consensus on a
variety of issues, including:

     2a:   What do verifiable tags look like?

     2b:   Which authentication models and methods are supported?

     2c:   How does a tagging authority identify itself?


There is a lot of overlap between reputation and tagging; reputation could
be considered part of the tagging problem: given standard tags that may
be set upstream, the reputation of the tagging authority must be considered
when weighting the particular tag.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg