ietf
[Top] [All Lists]

Re: The Value of Reputation

2006-01-03 15:29:33
Jim Fenton <fenton(_at_)cisco(_dot_)com> wrote:
John Leslie wrote:

But, in my view, we have no basis to choose the "right" one unless
we have a good understanding of what it measures and a workable idea
of how to "end run" when it falsely rejects good messages.

I completely agree that reputation has a critical role (although
accreditation is important in many situations, as Phill has pointed out,
and should not be ignored).  However, I have come to believe that there
is a great deal of subtlety below the surface of any good reputation system:

- Preventing abusers from "gaming the system" to get good scores

   This, IMHO, can never be standardized. We can ask for a web page
(subject to change without notice) detailing what is measured, but I
doubt we could even standardize the questions such a web page should
answer.

- Preventing attackers from damaging the reputations of others

   This is an area which could benefit from standardization, IMHO.
I'm not sure, though, whether consensus is attainable. I think CSV
did a reasonable job here. While I think SPF fails at this, I doubt
we'd ever get the SPF folks to agree.

- Defending the reputation system against legal actions from those who
  feel they have been hurt

   I think we should steer clear of this issue.

- Making it all work within the law, considering privacy laws, restraint
  of trade, and so forth, considering that the laws governing this vary
  by jurisdiction

   I see no point in trying to standardize for conflicting jurisdictions.

For this reason, I don't think the operation of reputation systems
themselves should be defined by IETF; different users will have
different needs. 

   I entirely agree.

However, standard protocols for communicating with reputation systems
will be needed, and this is a very important area for IETF to address. 

   I would very much like to do so.

Transaction rates for lookups will be high, and careful protocol design
is needed.  The use of standard protocols in this area will allow
clients to pick a suitable reputation service, and to change services
without changing their infrastructure. 

   Ease of changing reputation services trumps most other considerations,
in the real world.

Both reporting and query protocols will need to be defined.

   Reporting, IMHO, needs a standardized minimal-set, not a full set.

   Query protocols should see _a_ standard query, which need not
necessarily return all available information.

Much of this applies to accreditation services as well, although there
are some different requirements (negotiating an accreditor to use
between sender and recipient/verifier, for example).

   In CSV, we standardized a way for sender to advertise accreditor(s).
I'm not sure if anything beyond that will be practical.

   The question of standards for reputation and accreditation, IMHO,
deserves IETF work and could deliver great value. But to be clear, I
do not think it belongs in DKIM.

--
John Leslie <john(_at_)jlc(_dot_)net>

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>