[Note: ietf(_at_)ietf(_dot_)org removed from distribution because I am not a
subscriber to that list and have no intention of subscribing because I
am already subscribed to way too many mailing lists. If a subscriber to
ietf(_at_)ietf(_dot_)org feels it is appropriate, please feel free to forward
this
message to that list.]
On Tuesday, January 03, 2006 at 1:46 PM Jim Fenton wrote:
I completely agree that reputation has a critical role
(although accreditation is important in many situations, as
Phill has pointed out, and should not be ignored). However,
I have come to believe that there is a great deal of subtlety
below the surface of any good reputation system:
- Preventing abusers from "gaming the system" to get good scores
- Preventing attackers from damaging the reputations of others
- Defending the reputation system against legal actions from
those who feel they have been hurt
- Making it all work within the law, considering privacy
laws, restraint of trade, and so forth, considering that the
laws governing this vary by jurisdiction
For this reason, I don't think the operation of reputation
systems themselves should be defined by IETF; different users
will have different needs. However, standard protocols for
communicating with reputation systems will be needed, and
this is a very important area for IETF to address.
Transaction rates for lookups will be high, and careful
protocol design is needed. The use of standard protocols in
this area will allow clients to pick a suitable reputation
service, and to change services without changing their
infrastructure. Both reporting and query protocols will need
to be defined.
Much of this applies to accreditation services as well,
although there are some different requirements (negotiating
an accreditor to use between sender and recipient/verifier,
for example).
Jim makes some excellent points and raises several interesting avenues
of discussion which I would love to pursue. However, is the DKIM
mailing list the proper forum for doing so? It was my understanding
that the main item on the table at this time is finalizing the threats
document. Other venues where it might be better to discuss the topics
Jim raises could be the Anti-Spam Research Group's Identity,
Authentication and Reputation subgroup, or the "dia-blog" associated
with the Open Reputation System project. The former is quite moribund,
and John Levine is pleading for some activity there. The ORS dia-blog,
OTOH, is somewhat more active.
Information about the ASRG IAR can be found at
http://asrg.sp.am/subgroups/iar.shtml. The ORS dia-blog is at
http://ors.blogs4change.org/. If you are interested in becoming a
designated "author" on the ORS dia-blog please let me know and I will
put you in touch with the person who can enable that for you.
Regards,
Nick
--
Nick Nicholas
Knowledge Engineer
Habeas Inc.
650-694-3320
nick(_at_)habeas(_dot_)com
_______________________________________________
ietf-dkim mailing list
http://dkim.org