Re: The Value of Reputation (was Re: [ietf-dkim] Re: WG Review: Domain K

On Dec 27, 2005, at 7:33 AM, Nathaniel Borenstein wrote:
> I'm sorry, the "authorization method" was an echo of the term used  
> in the mail I was replying to (which is why it was in quotes).  I  
> was really trying to generalize to a whole range of technologies  
> without making my wording too awkward.  Perhaps I should have  
> replaced "such methods" with "antimalware technologies" or "abuse  
> control mechanisms."  In any event, I fully agree that the term  
> authorization, in this context, is both A) insufficiently  
> generalized, and B) troublesome  on countless philosophical grounds.
The response was specifically against the use of "authorization."   
With respect to SPF/Sender-ID or SSP, these are indeed email-address  
"authorization" schemes.  With Sender-ID, "authorization" has been  
incorrectly described as form of "authentication", and much like  
Sender-ID, SSP appeared more by way of introduction rather than  
discussion.  All of these "authorization" schemes, especially SSP,  
will disrupt the delivery of legitimate email.  This "authorization"  
scheme also proposes untold numbers of DNS lookups for perhaps any  
number of From addresses and signatures.  The art of "open-ended  
authorizations" (burden shifting) in SSP will soon include  
"authorized" signature lists.  SSP also considers itself a "weak"  
form of "authentication" by directing complaints to email-address  
rather than the signer. : (

> > Reputation remains the only solution able to abate the bulk of abuse.
> The word "only" makes me cringe a bit in any discussion like this  
> (a global fascist state, for example, is another possible  
> solution), but I think most of us pretty much agree about the  
> critical role of reputation.
Some view a closed system, rather than a system open to tens of  
millions of email-address domains, as an alternative to reputation.   
Even in that austere system however, each would consider their access  
contingent upon their reputation for good behavior.  Reputation is an  
unpleasant reality where identifying those culpable for abuse _must_  
_not_ be taken lightly.

> I see the cycle as going like this:  We need at least one  
> standardized, moderately-useful system for weakly authenticating  
> the sources of messages.
I see the base DKIM draft forming a solid basis to identify email  
sources.  The ill considered SSP draft will seriously hinder the DKIM  
effort.  Serious problems are already being handled by way of burden- 
shifting, rather than considering real solutions.  The related  
expense associated with an imposition of a disruptive email-address  
authorization scheme does not justify this component's inclusion  
within the DKIM charter.  With far less overhead, spoofing attempts  
can be thwarted without email-address authorizations.  Many of the  
serious crimes depend upon embedded links rather than use of an email- 
address (which are never seen by the majority of recipients).  A  
solid basis for the source of an email-address will significantly  
enhance protective strategies.  It is a dangerously false premise  
that an authorization scheme offers protection, as any assurance in  
that regard will increase the success rate of criminal fraud.

> Once we have that, we have the minimal data that a reputation  
> system will require to be able to start doing something at least  
> mildly useful.
Please note authentication does _not_ include SSP.


> Once we have *that*, we will have (in our reputation systems) a  
> built in "market" for additional systems for (perhaps less weakly)  
> authenticating the desirability (not necessarily solely due to the  
> source) of incoming messages.  To some extent, there's a chicken- 
> and-egg problem with authentication and reputation technologies.   
> My hope for DKIM is that it will give us one good enough egg to  
> produce a chicken, which can then (in much the manner that Cain and  
> Abel found their wives, I guess) facilitate a whole new generation  
> of authentication technology eggs.
Agreed.  Do not let the ill conceived SSP derail DKIM.


> > When reputation is applied against an "authorization" as an  
> > identifier, innocent email-address domain owners will be seriously  
> > harmed.  Abusers will find acceptance methods for an authorization  
> > scheme.
> Yes, every one of these schemes will be flawed.  That is why we  
> need to understand A) the role of "weak authentication" (weeding  
> out some but not all of the bad guys at any point in time, and  
> using multiple sources of information to judge the desirability of  
> a message) and B) the need for a continually evolving set of (ever- 
> stronger, we hope) mechanisms for proving that a message is  
> desirable to the recipient.  Some of those mechanisms will also  
> involve (ever-stronger, we hope) sender authentication, but others  
> could eventually involve technologies as unrelated to  
> authentication as anonymous payment.
To ensure email does not self-destruct, use of reputation against  
authorizations _must_ be avoided as imposing highly unfair treatment,  
even when email practices adapt to new paradigms.  When governments  
start issuing digital postage stamps, knowing the source of the email  
message remains important.  The recognition of these sources is  
beyond visual examination that can _not_ be aided by an authorization  
scheme.  MUAs will need to assist in the recognition efforts.  DKIM  
and recognition, but not authorization!

-Doug




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf