ietf
[Top] [All Lists]

RE: IP-based reputation services vs. DNSBL (long)

2008-11-10 16:06:53
2. Ask IETF to charter a working group tasked with developing a protocol
for communicating email sender reputation.   The group can consider
DNSBL as a possible solution but should not be bound by a requirement to
be compatible with it, or to use DNS at all.

   Lisa and Chris have stated that they're open to consider chartering
new WG if there seems to be consensus on a charter.

   What about it, folks?

As one of the people who objected when the previous spam WG was under way, I
now support this proposal to form a new WG to address the technical problem.

I hope the charter, unlike the previous one, will require the development of
a protocol for communicating email sender reputation that can be implemented
in email products without known patent encumbrances that are incompatible
with open source software. Email is simply too important to allow otherwise.

Best,

/Larry


Lawrence Rosen
Rosenlaw & Einschlag, a technology law firm (www.rosenlaw.com)
3001 King Ranch Road, Ukiah, CA 95482
707-485-1242 * cell: 707-478-8932 * fax: 707-485-1243
Skype: LawrenceRosen
Author of "Open Source Licensing: Software Freedom and 
                Intellectual Property Law" (Prentice Hall 2004)

-----Original Message-----
From: ietf-bounces(_at_)ietf(_dot_)org 
[mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of
John Leslie
Sent: Monday, November 10, 2008 12:38 PM
To: Keith Moore
Cc: IETF
Subject: Re: IP-based reputation services vs. DNSBL (long)

   I find myself in complete agreement with Keith's major points:

Keith Moore <moore(_at_)network-heretics(_dot_)com> wrote:

1. Several people have argued (somewhat convincingly) that:
...
It's important to keep these in mind, as they appear to make a
compelling case for some kind of standardized reputation service.

   I might add that we don't need to standardize anything if we're
happy with what we already have.

2. Several people have also related experiences of valid messages being
blocked by such reputation services, and of the difficulty of routing
around them and getting their reputations corrected.
...

   Many "ordinary" folks are abandoning email rather than even _try_
to fix such problems.

3. An informal protocol for reporting reputations using DNS has been in
use for several years, and such use has become widespread.  An IRTF
group (ASRG) began a useful effort to document this protocol.

   Such an effort is clearly useful for research purposes, and should
also be useful for any future attempts at standardization.

4. At some point ASRG decided that the protocol should be on the IETF
standards track and has requested such.

   This is where we went wrong.

   Well, actually we went wrong quite a while ago, when a prior IESG
decided not to have a WG considering the spam problem in general. I
can't entirely blame the folks who have latched onto IRTF's ASRG in
the absence of an appropriate IESG forum.

   (And now we're carrying out a flame-war here -- a clear indication
IMHO that we need an IETF (not IRTF) list to move this discussion to.)

This process that produced this proposal reminds me of several patterns
I've seen come up often in IETF.

1. The first pattern is when an author or group gets confused between
the goal of writing an informational document to describe existing
practice, and the goal of writing a standards-track document that
describes desirable practice.

   This is human nature. IETF has developed protections againt this
(which do not require flame-wars). We should use them.

2. The second pattern is when people insist that a widely deployed
protocol is inherently deserving of standardization, without further
vetting or changes, merely because it is widely deployed.

   This is commercial nature. IETF could use better protections against
this...

3. The third pattern is when a closed industry group, or an open group
that is not chartered to develop a standard protocol, insists that its
product merits standardization by IETF because it has gained consensus
of that group.

   This is not necessarily bad. But IESG (usually) tries to avoid the
situation getting this far -- by giving widespread notice of a WG charter
and encouraging cross-area review _before_ IETF last-call.

Such efforts can be considered in the IETF process as individual
submissions, but they need a great deal of scrutiny...

   I entirely agree, even though the necessary scrutiny is easy to
misinterpret as personal attacks by folks who "don't understand the
situation".

The main point to be made here is that the consensus of an external
group means nothing in terms of either IETF consensus or judgment of
technical soundness.  In particular, external groups often have a much
narrower view of protocol requirements than IETF does.

   This is important! It's worth reading again.

All of these patterns are associated with delays in accepting a
standard.  They are also associated with poorer quality standards.

So my recommendation to ASRG (and this document's authors) is as
follows:

1. Abandon the effort to publish draft-irtf-asrg-dnsbl as a standards
track document, and instead commit to publishing it as an Informational
document as an accurate description of existing practice.  Be sure to
document observed limitations of existing practice.

   This is really easy to do, and wouldn't cause any delays.

2. Ask IETF to charter a working group tasked with developing a protocol
for communicating email sender reputation.   The group can consider
DNSBL as a possible solution but should not be bound by a requirement to
be compatible with it, or to use DNS at all.

   Lisa and Chris have stated that they're open to consider chartering
new WG if there seems to be consensus on a charter.

   What about it, folks?

--
John Leslie <john(_at_)jlc(_dot_)net>
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf