Re: defining reputation and accreditation.
2004-09-20 01:21:44
Meng wrote:
OK, i think this is a sign that we really need to agree on
our terms :)
Well, we can at least agree on that. :-)
Here's the reason I think Habeas and Bonded Sender are
accreditation services: if you follow the money, senders pay
to be listed. Listing may require senders to follow certain
guidelines, but ultimately, listing in those systems is of
benefit to senders who might otherwise face difficulty
getting their mail accepted.
...
Reputation systems, in my view, operate on behalf of
receivers, and do not require payment from senders to be
listed; if anything, receivers benefit from an agency
operating on their behalf, and so, again, if you follow the
money, you see receiving ISPs and enterprises writing checks
to sites like mail-abuse.org and spamhaus.org.
Aaaah..but your very set of examples highlights where your definition
breaks down.
By my definition, accreditation services operate on behalf
of senders, and make assertions about future behaviour.
Reputation services operate on behalf of receivers, and make
assertions about past behaviour.
I think this is too simplistic.
Both MAPS and SPEWS, and Bonded Sender and Habeas, are "should do
because" lists.
In the case of MAPS and SPEWS, which are blacklists, you should reject
mail from the IPs listed thereon, because they've been naughty senders
-- because they have done something which by *the list owner's
definition* indicates you should reject the mail (although of course
they will never admit that they think you should reject the mail).
In the case of Bonded Sender and Habeas, which are whitelists, you
should accept and deliver the mail, because the people responsible for
the IPs listed thereon have promised that email will not be spam --
because they have done something which by *the list owner's definition*
indicates you should accept the mail.
In both cases the list owner is creating and selling an associated
reputation for a fee - in the blocklist case the fee is paid by the
receiver, and in the whitelist the fee is paid by the sender, but make
*no* mistake - they are both created for and serve at the leisure of
the *receiver*. Receivers query both sets of lists because it is
information _they want_ to help them made email processing and delivery
decisions.
In both cases, the response you get when you do a lookup is not a point
in fact, but an opinion or reputation-point which may be based on
underlying fact, but is once-removed from fact. With MAPS and SPEWS a
listing means "we believe this IP address to send spam by our
definition". With Habeas and Bonded Sender you get "email coming from
this IP address is "not spam" by our definition".
By contrast, accreditation says "we have checked out these entities,
and here is some factual data about them". Here is information about
their mailing practices, about their email policies, about how they run
their lists, about whether they publish authentication records, and
whether they belong to credible industry groups which indicate that
they are doing the right thing. Now *you* make the decision, based on
that data, as to how you want to process and handle email from them.
This is one of the reasons that accreditation and reputation are two
parts of the same email acceptance and delivery puzzles. You need
both. It's not unlike colleges and accreditation. You want to make
sure that you go to a college that is accredited - it means that they
have been through a certain accreditation process - but you also want
to go to a college which has a good reputation. You would no more go
to a college which was accredited but had a bad reputation than you
would go to a college which had a good reputation but was not
accredited.
Ken wrote:
>The VeriSign Verified Domains List is an accreditation database.
Hmm..has it changed since the description on VeriSign's 6/28/04 press
release, in which it was described thusly?:
"• Domain Authentication - Ensuring all e-mail comes from legitimate
business entities by checking addresses against VeriSign's own Verified
Domains List (VDL). Based on VeriSign's SSL digital certificate
issuance process, the VDL contains domain names that are manually
verified to have legitimate business owners with authentic and
traceable identities."
To me this sounds very much like an authentication database, rather
than an accreditation database.
Anne
|
|