RE: Authentication, Accreditation, and Reputation

Mark,

<snip>

> Basing a reputation on an agreement to preclude certain
> future behavior is folly.  Reputation is earned through
> past behavior.  What you're describing is trust, which may
> be based on reputation and/or a number of other factors. 
> In your specific description above, that trust would
> include not only reputation, but the reputation of and
> trust in the enforcement mechanisms and agencies, as well
> as the trust in the identity to modify its behavior in
> response to those enforcement mechanisms being brought to
> bear.
Understand I was framing the issues within a certain
context. Having said this, I agree with your comments.

Just so we are clear, let's rephrase the statement as
follows:

Reputation is the measure of an identities behavior. It can
be based on observations concerning the identities past
behavior.  Here the question is does the identity send ham
or spam?  Trust is the measure we can give to whether an
identity will comply with a set of standards concerning how
it will behave, with rewards given and punishments received
for failing to comply with these standards.

Here the question is can we trust that the identity is
sending ham not spam?

The trust value placed by those relying on the how the
identity will behave depends on:

* whether the set of standards complies with the
communities understanding of what is ham or spam; and

* whether the community perceives the rewards and
punishments are likely to ensure the identity sends ham not
spam.

An accreditation service will want to assess past behavior:

* specifically as it concerns the question of whether the
identity does send ham or spam; and 

* generally as to the identities behavior and how this
bears on the question of whether the identity will send ham
or spam.

An accreditation service will want to:

* provide an indicator of the identities present behavior;

* monitor the identities present behavior to ensure
compliance with the agreed set of behavioural standards;

* act as a facilitator between senders and receivers;

* resolve compliance issues and as required render
punishment.

The specificity given to the indicator will depend on the:

* query set asked of the identity; and

* agreed set of behavioural standards.

> Regardless of accreditation method, the stick is the
> enforcement.  Show me an accreditation mechanism with a
> meaningful, punitive enforcement mechanism, and I'll
> support it. (note:  this does not include "but you'll have
> to buy a new cert!" enforcements).
Understood and agreed. 

The ultimate punishment for violating a trust is that the
person is permanently prohibited from carrying out the
trusted activity for the rest of his or her natural life
and the individual can't simply or easily circumvent this
prohibition.

Applying this statement to our situation, violate the trust
given by sending unsolicited bulk email and you are
permanently prohibited from using email for the rest of
your life.

There are a number of questions:

* Is this too extreme? 

This is not complex. Don't send unsolicited bulk email.

Mailing lists require verified opt-in or closed loop
verification. 

This is not complex. Don't send unsolicited bulk email.

Deliberate violations of trust like doing a spam run
require swift action and punitive punishment.

* Should there be an opportunity for rehabilitation? 

Okay, you violated the trust, you were punished, paid the
fine, honored the prohibition. A period of time has lapsed. 

Should the individual be able to reapply? If so, what
criteria apply?

* How to enforce the prohibition and prevent circumvention? 

Technically the simplest way is to publish the violator's
identity in a public data base, which can be accessed by
others and used to 'blacklist' the individual and so forth
along with imposing a punitive fine.

The problem is that the individual can easily go bankrupt
to prevent collection, while changing identity to go out
and start spamming again. 

How? Use another person as a front to buy a domain, access
the internet, acquire the needed software and start sending
spam.

This suggests as part of the initial arrangement, the
individual has to agree in essence up front, violate the
trust and not only are you prohibited from sending email,
but you will not take any steps to avoid complying with
this prohibition or to prevent collection of the fine.

It also means the accreditation service has to be prepared
to enforce this aspect of the agreement.

Another way to deal with this issue is to make
accreditation mean something more than, "okay I need to pay
this service x dollars to get a rating if I want my email
delivered." 

Rather make it "a privilege or an honor to receive
accreditation," so creating a "fear of shame and loss if
one violates the trust."

The issue of punishment is simple in one sense, but complex
in another and one needs to give thought as to how to set
up the appropriate punishment and enforcement mechanisms,
so that the whole exercise is not just a paper tiger.

Any suggestions on these points, beyond what I have stated?

John
 
John Glube
Toronto, Canada
 
voice: 416-535-6366; mailto:john(_at_)learnsteps4profit(_dot_)com
private message:  http://adcopy.quikonnex.com/
 
Discover How Anyone Can Get More Buyers
http://www.learnsteps4profit.com

-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Mark C.
Langston
Sent: August 14, 2004 6:21 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Authentication, Accreditation, and
Reputation

On Sat, Aug 14, 2004 at 06:10:14PM -0400, John Glube wrote:
> Mark,
>
> I appreciate your comments.
>
> Okay, let's just go back to the 'big' picture for the
> moment and let me put forward the following for discussion:
>
> Reputation is the measure of an identities behavior. It can
> be based on observations concerning the identities past
> behavior.
>
> Here the question is does the identity send ham or spam?
>
> I suggest it can also be based on an agreement by the
> identity to comply with a set of standards concerning how
> it will behave, with rewards given and punishments received
> for failing to comply with the set of standards.
Basing a reputation on an agreement to preclude certain future
behavior
is folly.  Reputation is earned through past behavior.  What
you're
describing is trust, which may be based on reputation and/or a
number of
other factors.  In your specific description above, that trust
would
include not only reputation, but the reputation of and trust in
the
enforcement mechanisms and agencies, as well as the trust in the
identity to modify its behavior in response to those enforcement
mechanisms being brought to bear.

Regardless of accreditation method, the stick is the enforcement.
Show
me an accreditation mechanism with a meaningful, punative
enforcement
mechanism, and I'll support it. (note:  this does not include
"but
you'll have to buy a new cert!" enforcements).

-- 
Mark C. Langston            GOSSiP Project          Sr. Unix
SysAdmin
mark(_at_)bitshift(_dot_)org   http://sufficiently-advanced.net
mark(_at_)seti(_dot_)org
Systems & Network Admin      Distributed               SETI
Institute
http://bitshift.org       E-mail Reputation
http://www.seti.org

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in
Atlanta features SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate
your subscription, 
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.737 / Virus Database: 491 - Release Date: 11/08/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.737 / Virus Database: 491 - Release Date: 11/08/2004