spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: defining reputation and accreditation.

2004-09-20 01:21:44
from [Anne P. Mitchell, Esq.] [Permanent Link] 
Meng wrote:


OK, i think this is a sign that we really need to agree on
our terms :)



Well, we can at least agree on that. :-)


Here's the reason I think Habeas and Bonded Sender are
accreditation services: if you follow the money, senders pay
to be listed.  Listing may require senders to follow certain
guidelines, but ultimately, listing in those systems is of
benefit to senders who might otherwise face difficulty
getting their mail accepted.

...

Reputation systems, in my view, operate on behalf of
receivers, and do not require payment from senders to be
listed; if anything, receivers benefit from an agency
operating on their behalf, and so, again, if you follow the
money, you see receiving ISPs and enterprises writing checks
to sites like mail-abuse.org and spamhaus.org.
Aaaah..but your very set of examples highlights where your definition breaks down. 



By my definition, accreditation services operate on behalf
of senders, and make assertions about future behaviour.

Reputation services operate on behalf of receivers, and make
assertions about past behaviour.



I think this is too simplistic.
Both MAPS and SPEWS, and Bonded Sender and Habeas, are "should do because" lists.
In the case of MAPS and SPEWS, which are blacklists, you should reject mail from the IPs listed thereon, because they've been naughty senders -- because they have done something which by *the list owner's definition* indicates you should reject the mail (although of course they will never admit that they think you should reject the mail).
In the case of Bonded Sender and Habeas, which are whitelists, you should accept and deliver the mail, because the people responsible for the IPs listed thereon have promised that email will not be spam -- because they have done something which by *the list owner's definition* indicates you should accept the mail.
In both cases the list owner is creating and selling an associated reputation for a fee - in the blocklist case the fee is paid by the receiver, and in the whitelist the fee is paid by the sender, but make *no* mistake - they are both created for and serve at the leisure of the *receiver*. Receivers query both sets of lists because it is information _they want_ to help them made email processing and delivery decisions.
In both cases, the response you get when you do a lookup is not a point in fact, but an opinion or reputation-point which may be based on underlying fact, but is once-removed from fact. With MAPS and SPEWS a listing means "we believe this IP address to send spam by our definition". With Habeas and Bonded Sender you get "email coming from this IP address is "not spam" by our definition".
By contrast, accreditation says "we have checked out these entities, and here is some factual data about them". Here is information about their mailing practices, about their email policies, about how they run their lists, about whether they publish authentication records, and whether they belong to credible industry groups which indicate that they are doing the right thing. Now *you* make the decision, based on that data, as to how you want to process and handle email from them.
This is one of the reasons that accreditation and reputation are two parts of the same email acceptance and delivery puzzles. You need both. It's not unlike colleges and accreditation. You want to make sure that you go to a college that is accredited - it means that they have been through a certain accreditation process - but you also want to go to a college which has a good reputation. You would no more go to a college which was accredited but had a bad reputation than you would go to a college which had a good reputation but was not accredited. 

Ken wrote:

>The VeriSign Verified Domains List is an accreditation database.
Hmm..has it changed since the description on VeriSign's 6/28/04 press release, in which it was described thusly?:
"• Domain Authentication - Ensuring all e-mail comes from legitimate business entities by checking addresses against VeriSign's own Verified Domains List (VDL). Based on VeriSign's SSL digital certificate issuance process, the VDL contains domain names that are manually verified to have legitimate business owners with authentic and traceable identities."
To me this sounds very much like an authentication database, rather than an accreditation database. 

Anne
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SPF-compliant phishing?, Koen Martens
Next by Date:  Re: defining reputation and accreditation., Anne P. Mitchell, Esq.
Previous by Thread:  Re: defining reputation and accreditation., John A. Martin
Next by Thread:  RE: [aspen] Notes from the crystal ball: authentica tion vs policy, MTA vs MUA, Hallam-Baker, Phillip
Indexes:  [Date] [Thread] [Top] [All Lists]