Re: Authentication, Accreditation, and Reputation

On Sat, Aug 14, 2004 at 08:53:39AM -0400, John Glube wrote:
> The purpose of an accreditation service is to:
>
> * facilitate the process of obtaining and maintaining a
> good reputation; 
Accreditation has nothing to do with reputation.  Reputation is a
behavioral metric, and the only behavior that matters here is:  does this
identity have a history of sending spam or ham?  Whether the identity
has the wherewithal to purchase accreditation is a non-issue.

This isn't just my opinion, by the way.  All the literature on repuation
systems that I've been able to find (dig through CiteSeer, for example)
define reputation as a behavioral metric directly tied to the actions of
an agent in the arena to which the reputation applies.  I.e., there's no
notion of "accreditation" included.


> A person may decide, since I have published the appropriate
> SPF, E-mail policy, CSV records, I am prepared to allow
> sufficient data to accumulate and gain a good reputation. 
Reputation has nothing to do with information provided by the sender.
It's based on information observed by the receiver in the act of
receiving the mail.  I could build a reputation rating for an identity
today based solely on the contents of MAIL FROM:, HELO/EHLO, the IP from
which the mail is being sent, and a determination of whether that mail
is spam or ham.  Things such as SPF record publishing, CSV, SSL certs
and so forth have no bearing on whether you're forging MAIL FROM: and
HELO/EHLO, whether you're sending mail from an IP from which you don't
normally send mail, and whether the content of that mail is spam.



-- 
Mark C. Langston            GOSSiP Project          Sr. Unix SysAdmin
mark(_at_)bitshift(_dot_)org   http://sufficiently-advanced.net    
mark(_at_)seti(_dot_)org
Systems & Network Admin      Distributed               SETI Institute
http://bitshift.org       E-mail Reputation       http://www.seti.org