ietf-dkim
[Top] [All Lists]

Re: The Value of Reputation (was Re: [ietf-dkim] Re: WG Review: Domain Keys Identified Mail (dkim))

2005-12-31 16:52:03


--On Tuesday, 27 December, 2005 10:33 -0500 Nathaniel Borenstein
<nsb(_at_)guppylake(_dot_)com> wrote:

Reputation remains the only solution able to abate the bulk
of abuse.

The word "only" makes me cringe a bit in any discussion like
this (a global fascist state, for example, is another possible
solution), but I think most of us pretty much agree about the
critical role of reputation.  I see the cycle as going like
this:  We need at least one standardized, moderately-useful
system for weakly authenticating the sources of messages.
Once we have that, we have the minimal data that a reputation
system will require to be able to start doing something at
least mildly useful.  Once we have *that*, we will have (in
our reputation systems) a built in "market" for additional
systems for (perhaps less weakly) authenticating the
desirability (not necessarily solely due to the source) of
incoming messages.  To some extent, there's a chicken-and-egg
problem with authentication and reputation technologies. 

Nathaniel,

I've held off responding to this because people assume that I'm
an opponent of either DKIM or of chartering a WG for that
purpose, and I'm neither.  However, the comment above calls for
a response or two.  John Leslie has provided part of that
response; let me provide the other part.

Global reputation vetting is a hard problem.  To a considerable
extent, that makes a strong argument for local reputation
assessment, not for identifying those who cannot be
reputation-validated as spammers but for giving preferred
treatment to those who are on some preferred list.  As I
understand it, that is a major motivation of at least several of
those who are pushing DKIM.  So far so good.

The difficulty is that establishment of such a mechanism makes
it very easy for, e.g., an ISP that wants to "protect its
customers from spam" and reduce spam traffic on its backbone to
say "aha, any message that isn't validated/authorized by someone
whom we recognize is obviously hostile and should be silently
dropped".  And the only sources they are likely to recognize are
members of their own messaging cabal.   In theory, the
marketplace should fix that problem --all of their customers who
actually want to received email from customers of other ISPs
would leave.   But, in practice, we know that those marketplace
mechanisms often don't work terribly well.   I would be hesitant
to make comparisons between that situation an global fascist
states, but, since you introduced the term...

Now using DKIM, or a wide variety of other techniques, this way,
would clearly be abuse of the intent of the methods.  But one of
the things we all should have learned by now is that a
technology that can be abused almost certainly will be abused.
It seems to me that, were DKIM to succeed, we would run a
significant risk of seeing the Internet fragmented into
DKIM-approval camps (with the non-DKIM-users left out of all of
them).  And if it produces, as you suggest, a new generation of
authentication technology eggs, that could lead to even more
fragmentation as various parties are forced to choose between
the costs of supporting multiple methods and the risk of
receiving only that mail that comes from someone who has chosen
the same method as the receiver and the receiver's ISP and
environment.

That situation could lay an egg indeed.

Again, this is not an argument against chartering a WG.  It
might be an argument for insisting that such a WG explain, as
part of proposing something for standardization, how obvious
abuses of it are to be avoided or repelled.

     john


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>