Re: move to second stage, Re: Principles of Spam-abatement

Ed,

Thank you for the wealth of information. I forwarded this message to theSMTP-VERIFY subgroup of the ASRG where the current discussion of the"web of trust" is taking place so we can evaluate the information (thearchive can be found athttp://news.gmane.org/gmane.ietf.asrg.smtpverify/). If you or anyoneelse wants to join that list, let me know off-list (its a closed listwith about 30 members, separate from the main ASRG list).


I will get back to you once we digested your paper.

Yakov

Ed Gerck wrote:

Yakov Shafranovich wrote:
Go ahead - I am looking for any kind of solutions that the IETF can take
on in order to reduce the problem. Many solutions have been revolving
around trust - but in the world where a computer can be easily hijacked,
trust becomes harder to maintain.
Trust is the problem [1]. What you mention below is a valid way to
induce trust, namely by relying on trusted introducers (for trusted
*and* distrusted MTAs). The question of qualifying the trustedintroducers themselves is also qualitatively handled in the model yousummarize. One thing that is missing is what I call the trustedwitnesses, which are also necessary to induce trust [2].
Trusted introducers and trusted witnesses allow you to build twoopen-ended trust chains for every action, the witness chain providingthe assurances ("how did we get here?") that led to action (includingthe action itself) while the introducer chain ("where do we go fromhere?") provides the assurances both for a continuation of that action
and for other actions that may need assurances stemming from it.
One example of what the ASRG has been looking at is a distributed web of
reputation. Each MTAs or domain can publish a list of MTAs that it
knows, including basic statistics on how long the MTA has been sending
mail, average volume, etc. In addition to that basic information, you
can also publish additional information such as "I think this is a
spammer because SpamAssasin detects 99% of all email from that MTA as
spam", etc. The basic statistical information can be used to detect
zombies and the extended information can be used to allow like-thinking
domains to make joint decisions. The question of how much difference
this would make is up for debate, and there are questions of how a new
MTA can be introduced into the system, "rule of the mob", etc.
Seeing this as a web of trust would seem to clarify the issues you mentionand point out what's missing. Relying on reputation alone (and not also oncurrent behavior, etc.) can lead to race conditions, bait-and-switch,spoofing, laggard reactions, and a host of other threats that are easilyexploitable. BTW, if reputation alone would be a solution, eBay customerswould not have so many problems with online auctions -- the Federal TradeCommission says it receives more complaints about Internet auction fraudthan any other online scam. Internet auctions accounted for 48 percent ofall Internet fraud complaints filed with the commission in 2003 (1/26/04article by Brian Krebs on eBay Feedback Forgers).
Comments?

Cheers,
Ed Gerck

[1] Understanding human trust is exactly what brought me to that great
IT question in 1997: how can I trust a set of bytes? My answer provideda framework that has been useful in the field of information security.The answer also provides a framework for understanding human trust(as expected fulfillment of behavior) and bridging trust between humansand machines (as qualified information based on factors independent ofthat information). The original reference ishttp://nma.com/mcg-mirror/trustdef.htm
-- please google for "gerck trust" to find applications and comments
by others.

[2] An example is described in
http://nma.com/papers/e2e-security.htm#TR
"...under the principle that every action needs both a trustedintroducer and a trusted witness. We call this principle theTrust Induction Principle."