spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

accreditation versus reputation

2004-02-25 22:41:09
from [Meng Weng Wong] [Permanent Link] 
This message briefly describes how senders use accreditation systems,
and how receivers use reputation systems.

I think of them as seconds in a duel: the sender relies on
accreditation, and the receiver relies on reputation systems.

              sender             /          receiver
 authentication -> accreditation / reputation -> enforcement

DNSBLs are reputation systems; right now the vast majority of structured
reputation systems are based on IP because that is the only unspoofable
thing.

Content filters are basically an unstructured reputation system.
They're based on heuristics, easy to tweak, and easier to game.

Message signatures are a structured reputation system, but because I
don't want to get into DATA I am interested in structured reputation
systems in the envelope.

If sender authentication manages to change the landscape of email,
reputation systems will become much more powerful: the return-path will
become useful, and once we have an accountable domain to key off, we'll
be able to link to accreditation schemes.

So the vision is:

- example.com has an SPF record

- example.com uses SPF to authoritatively declare a given SMTP
  connection legitimate or forged, *before* DATA

- the SMTP receiver uses this information to reject forgeries, and
  proceed only if example.com owns to the transaction.

- example.com's SPF record also contains a link to an accreditation
  provider, eg. IADB

- the SMTP receiver queries IADB to confirm that example.com is
  accredited, and downloads a list of vouches.

- vouches can assert anything at all:
  - example.com has a bond on file with IADB to the amount of $10k
  - example.com offers to micropay $0.01 per message to the receiver
    - if the receiver decides the message is spam
    - always
  - example.com offers to micropay $0.01 per message to a charity
    - if the receiver decides the message is spam
    - always
  - example.com has a legal address on file with the accreditation
    agency where, if you decide the message is spam, you can sue them
  - example.com is run by a guy who has blue hair and brown eyes
  - example.com bought IADB a round of drinks last time they met
  - etc etc

- the receiver analyzes these vouches by asking a reputation system:
  - what IADB's word is worth
  - what it knows about the sender
    - complaint ratio
    - age of domain
    - etc
  - what it knows about the vouches
  - what each vouch is worth

- the receiver then accepts or rejects the message.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • accreditation versus reputation, Meng Weng Wong <=
Previous by Date:  ANNOUNCE: Mail::SPF::Query 1.992 and 1.993 released with Caller-ID support, Meng Weng Wong
Next by Date:  Re: Possible SPF machine-domain loophole???, Greg Connor
Previous by Thread:  ANNOUNCE: Mail::SPF::Query 1.992 and 1.993 released with Caller-ID support, Meng Weng Wong
Next by Thread:  silicon.com news article on CID/DK/SPF, Roy Badami
Indexes:  [Date] [Thread] [Top] [All Lists]