On Sun, 7 Nov 2004, Hallam-Baker, Phillip wrote:
-----Original Message-----
From: Dean Anderson [mailto:dean(_at_)av8(_dot_)com]
On Thu, 4 Nov 2004, Hallam-Baker, Phillip wrote:
There are many RFCs that have reached draft standard status that
have never been deployed.
I don't think this is true; in this or any other WG. Your
claim runs counter to the requirements for Draft Standard
status. Do you have an example RFC demonstrating this?
Various parts of DNSSEC have reached draft standard (or are about to) with
no sign of deployment, IPSEC, IPv6, SMIME, PGP, various parts of PKIX the
list goes on.
I don't think it is the case that DNSSEC is about to reach "draft
standard" status, nor is it the case that there aren't test deployments
and "working" implementations of DNSSEC. For DNSSEC tools, a good site is
http://www.dnssec.net/software.php.
The oldest DNSSEC RFC is 2181 or perhaps 2535, 2536, etc. These are all
in "Proposed Draft Standard" status. There is much ongoing work on DNSSEC,
but I don't think anything will be finished in the near future. There are
still significant problems to overcome before these drafts can move
forward.
All you need is two interoperable implementations and a userbase noticable
to the IETF. The fact that 98% of the users of the internet will never use
it directly or indirectly does not matter.
The "userbase noticable" isn't requirement of the RFC process. The IETF
doesn't standardize based on popularity, but on consensus.
There are many protocols that have never progressed beyond
experimental or informational that are real defacto standards.
This has certainly happened, but I think usually this is due
to sloppiness by those WG chairs to take care of the business
of the working group and move drafts along.
Or the WG consensus choose a different protocol to the market.
Nobody in the IETF is elected, nobody is accountable. The inevitable
consequence of that situation is that nothing that the IETF does can ever
rise above the level of a personal opinion.
This is also not true. It may appear this way from time to time, but it
isn't literally true. I've been on the other end when rules are broken,
and no one seems to take responsibility. I can appreciate that it is
frustrating, believe me. There are others who have had similar experiences
with abuse. But, eventually, those who fail to take responsibility are
moved out. There are ways to make organizations follow their own rules.
When push comes to shove, organizations are obligated to follow their own
rules.
It is hard to say what the mental model of many participating
in the WG was. However, it is not the case that to "obtain
IETF standards status, then get deployed" is "in practice
only the way forward after a protocol is reasonably mature".
The point of the RFC process is to define clearly a protocol;
test, analyze, and fix flaws; and move forward based on
consensus that something useful is being achieved. It is not
a rubber stamp on "reasonably mature protocols".
The folk who were stopping at nothing to filibuster the proposal thought
that stopping Sender-ID in the IETF would kill it in the real world. In fact
nothing of the sort could ever happen.
I have a different view. And I saw no "filibuster". Rather, I saw people
trying to use the IETF to gain credibility for commercial exploitation, no
matter that they actaully created more harm, and no good. I think they
are chagrined at the loss of a "stamp of approval". The IETF isn't a
rubber-stamp.
But I have no illusions that any explanation or demonstration of the harms
of either Sender-ID or SPF will in anyway disuade those spam-profiteers
who described SPF and/or Sender-ID to the press as "ending spam". (eg, the
Linux World article, statements by Microsoft, etc). But at the end, I
recall people saying it was unnecessary to have any effect on spam, much
less "end spam". So, my opinion is that when people see an opportunity to
extract money, they'll go ahead no matter what. There is no interest in
stopping spam. Indeed, the Microsoft presentation given at the Anti-spam
conference at MIT demonstrated that. The MSN people noted that their
biggest complaints came from other divisions of Microsoft whose spam they
blocked (and that was unblocked). And while they weren't sharing their
techniques (better to exploit them that way), what little they did reveal
made me think they were using bayesian technique, though I think they
specifically denied using spam-bayes. I thought it odd for them to come to
a technical conference, give a presentation, and not actually share any
technical information. They even poked fun of Barry Shein for saying he
didn't trust any blackbox from Microsoft. The proceeding was video-taped,
and I think it can be downloaded off the web somewhere.
Its telling that most of the spam-profiteers think that spam-bayes is pure
evil. Its only evil to spam-profiteers because its free, and it prevents
them from making money on spam. These same people saying spam-bayes is
pure evil (eg Vixie) have made statements to the effect that anything that
helps reduce spam is good. Except spam-bayes. They say that's bad. Not
just a little bad. But terribly, horribly, drastically bad.
I've done some work applying information theory to spam, and have
discovered that there is no ultimate solution to spam. This is probably
worth writing up, unlike many of my observations of obvious flaws where
the noted flaws were so obvious as to be an embarrasment to the proposer,
rather than a credit to my insight. But the information theory work is
fairly obscure. In theory, the abuser can adapt to whatever you deploy,
and circumvent it. Read that again, with emphasis on THEORY, ADAPT,
WHATEVER, CIRCUMVENT. The best you can do is detect and adapt to whatever
they do. So you can keep doing whackamole. If fact, you can't do better
than whackamole.
But maybe you can do whackamole better. Of course, the abuser can do the
mole part better, too. So you can't ever win. It's unclear if uping the
stakes is a good bet. But we can think about doing that. So, if you want
to speed up the "detect and adapt" process, you need statistical methods.
Enter Bayes Rule, which specifies how to calculate conditional
probability. So, from a purely mathematical point of view, what you'd do
is something along the lines of spam-bayes. Spam-bayes may in fact be too
simple, and still too hard to train. But its going in the best direction.
In the end, it won't succeed either. But it will require the most from
the abuser to be the most adaptable and least predictable they can be.
Of course, not everyone agrees. And there could be better ways to react
faster. I have no proof that Bayesian filters are the //absolute best way
to play whackamole//, as opposed to just being in the right direction as
compared with other approaches, and as compared with constraints implied
by information theory. Indeed, I've thought that analyzing the meaning of
the message in relation to the recipient's interest in the content of the
message, like a human secretary, may be a good approach. This is probably
hard. Previous AI approaches failed. Automated text summarization
research seems to be useful. There may be other statistical methods, or
other non-statistical "detect and adapt" methods.
But the reaction to spam-bayes from the spam-profiteers is most telling.
They really, really, really hate the idea of spam-bayes. How is that? So
I wonder if maybe they hate spam-bayes because they can't make money on
it, and if its the best solution, then they won't make money on spam at
all. Too bad for them. I wonder, if they give up, if the abusers will
stop sending spam the same way that open relay abusers pretty much stopped
abusing open relays after the open relay blacklists shutdown.
One thing CAN-SPAM has demonstrated is that spammers aren't commercial.
I also speculated that was the case a long time ago, but it wasn't obvious
even to me that I was so completely right. I knew some few people were
conducting abuse for the sake of abuse. But I had no idea how much. So,
given that, it _could_ be possible that abusers might get tired of the
game and just choose to stop of their own accord. But I also thought that
virus writing was a fad that would lose its appeal, and it hasn't let up
some 15 years after I thought that. So I'm not always right. And Virus
writing seems to be related to spamming, so probably we can't expect
either to just stop someday.
Some people are bitter about that result, and suggest that
the IETF is therefore going to be "left in the dustbin".
That isn't the first time that claim has been leveled, nor
will it be the last.
It may well be one of the last opportunities the IETF gets. Other forums
elect their officers and run their WG is a responsible and accountable
manner.
Some other standards bodies do run a tighter ship. I used to work for one
of those forums. Certainly, the IETF could be run better. There is room
for criticism and improvement. But there is a nomination process for the
IETF chairman, and members of the IAB. The IETF is also an activity of
ICANN, which also has officers, elections, and bylaws. This all could be
improved, without doubt. But the basics are there. I doubt very much that
it will be the "last opportunity". That is just an implied ultimatum:
"Do this or else be ignored". I saw similar ultimatums from the radical
anti-spam community on subjects such as open relays. Nearly all of the
open relay blacklists closed because ISPs were blocking their scans. In
fact, I have seen a systematic scan in a long time. Nor has there been any
open relay abuse in a long time. Funny, that.
There is a high probability that the blogosphere will converge on
whatever ATOM decides, but the IETF could not have created the
blogosphere by simply ratifying an RFC.
The "blogosphere"? Is that like the punditariat?
The political weblogs that largely drove the last election campaign.
Yes. It was a joke, of sorts. The "punditariat" is the collection of
pundits who write editorials and opinion pieces. Before there were
weblogs, there were pundits. The pundits are sometimes referred to by
those in the political campaigns as the punditariat. A pun on the word
secretariat, which is a congress.
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000