ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] reputation formats, was DKIM adoption

2009-08-29 12:59:07
from [John Levine] [Permanent Link] 
Today I think it would be helpful to publish - at least - something
like a recommendation on (a) suitable publishing systems (DNS is
appropriate in my view) (b) request parameters and (c) response
formats.


Back when we were developing VBR, we spent a fair amount of time
considering reputation query formats as a followon to VBR.  We came up
with some rough ideas, but the general feeling was that we don't
understand reputation well enough to try to nail anything down, and
that seems as true now as it ever was.

With respect to your specific proposal, I have two comments.  One is
that although the scheme for encoding i= strings is clever, since we
just went through a lengthy process to establish the d= domain as the
primary identifier, so I would just use that.  Using a plain domain
also makes it easier to use a system on top of other authentication
systems like SPF and Sender-ID.  (Although I am a fan of neither,
there are certainly some cases where they can give you a solid enough
positive result to use.)

The other is that "reputation" is hardly a single dimension.  In our
work, we had a DNS query that returned a reputation number on a 0-100
scale, but we also had a confidence value to give a hint about how
certain we were that our opinion was right, and a code to indicate
what sort of organization it was.  (The code was a SIC number, a
common business type code used in North America.)  The idea was that
if you got mail from someone, and the lookup said it was a bank, a
poor reputation might indicate that it was likely to be spam, but
since it's from a real bank, it's unlikely to be a phish so you might
want to deliver it anyway.  It occurs to me that you might need a
variety of reputation scales for spamminess, phishiness, sleaziness,
and so forth, since different receivers are likely to have different
opinions of, e.g., unsolicited mail advertising an actual vendor of
fancy coffee.

This strikes me as a fine topic for the ASRG since it is, you know,
research.  It would be quite reasonble to publish one or more
experimental RFCs via the ASRG with proposed reputation exchange
formats to document what we've been thinking about and give the rest
of the world a place to start.

R's,
John
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] I-D Action:draft-ietf-dkim-deployment-08.txt, Thomas Gelf
Next by Date:  Re: [ietf-dkim] I-D Action:draft-ietf-dkim-deployment-08.txt, Tony Hansen
Previous by Thread:  Re: [ietf-dkim] DKIM adoption, Florian Sager
Next by Thread:  Re: [ietf-dkim] Escaping things in key/ADSP records, Tony Hansen
Indexes:  [Date] [Thread] [Top] [All Lists]