ietf-dkim
[Top] [All Lists]

RE: [ietf-dkim] Re: The Value of Reputation

2006-01-04 09:53:45
[Note: ietf(_at_)ietf(_dot_)org removed from distribution because I am not a
subscriber to that list and have no intention of subscribing because I
am already subscribed to way too many mailing lists.  If a subscriber to
ietf(_at_)ietf(_dot_)org feels it is appropriate, please feel free to forward 
this
message to that list.]

On Tuesday, January 03, 2006 at 1:46 PM Jim Fenton wrote:

I completely agree that reputation has a critical role 
(although accreditation is important in many situations, as 
Phill has pointed out, and should not be ignored).  However, 
I have come to believe that there is a great deal of subtlety 
below the surface of any good reputation system:

- Preventing abusers from "gaming the system" to get good scores
- Preventing attackers from damaging the reputations of others
- Defending the reputation system against legal actions from 
those who feel they have been hurt
- Making it all work within the law, considering privacy 
laws, restraint of trade, and so forth, considering that the 
laws governing this vary by jurisdiction

For this reason, I don't think the operation of reputation 
systems themselves should be defined by IETF; different users 
will have different needs.  However, standard protocols for 
communicating with reputation systems will be needed, and 
this is a very important area for IETF to address.  
Transaction rates for lookups will be high, and careful 
protocol design is needed.  The use of standard protocols in 
this area will allow clients to pick a suitable reputation 
service, and to change services without changing their 
infrastructure.  Both reporting and query protocols will need 
to be defined.

Much of this applies to accreditation services as well, 
although there are some different requirements (negotiating 
an accreditor to use between sender and recipient/verifier, 
for example).

Jim makes some excellent points and raises several interesting avenues
of discussion which I would love to pursue.  However, is the DKIM
mailing list the proper forum for doing so?  It was my understanding
that the main item on the table at this time is finalizing the threats
document.  Other venues where it might be better to discuss the topics
Jim raises could be the Anti-Spam Research Group's Identity,
Authentication and Reputation subgroup, or the "dia-blog" associated
with the Open Reputation System project.  The former is quite moribund,
and John Levine is pleading for some activity there.  The ORS dia-blog,
OTOH, is somewhat more active.

Information about the ASRG IAR can be found at
http://asrg.sp.am/subgroups/iar.shtml.  The ORS dia-blog is at
http://ors.blogs4change.org/.  If you are interested in becoming a
designated "author" on the ORS dia-blog please let me know and I will
put you in touch with the person who can enable that for you.

Regards,

Nick


--
 
Nick Nicholas
Knowledge Engineer
Habeas Inc.
650-694-3320
nick(_at_)habeas(_dot_)com
 


_______________________________________________
ietf-dkim mailing list
http://dkim.org

<Prev in Thread] Current Thread [Next in Thread>