[ietf-dkim] Re: The Value of Reputation

Nick Nicholas Nick at habeas.com
Wed Jan 4 08:51:31 PST 2006 

[Note: ietf at ietf.org removed from distribution because I am not a
subscriber to that list and have no intention of subscribing because I
am already subscribed to way too many mailing lists.  If a subscriber to
ietf at ietf.org feels it is appropriate, please feel free to forward this
message to that list.]

On Tuesday, January 03, 2006 at 1:46 PM Jim Fenton wrote:

> I completely agree that reputation has a critical role 
> (although accreditation is important in many situations, as 
> Phill has pointed out, and should not be ignored).  However, 
> I have come to believe that there is a great deal of subtlety 
> below the surface of any good reputation system:
> 
> - Preventing abusers from "gaming the system" to get good scores
> - Preventing attackers from damaging the reputations of others
> - Defending the reputation system against legal actions from 
> those who feel they have been hurt
> - Making it all work within the law, considering privacy 
> laws, restraint of trade, and so forth, considering that the 
> laws governing this vary by jurisdiction
> 
> For this reason, I don't think the operation of reputation 
> systems themselves should be defined by IETF; different users 
> will have different needs.  However, standard protocols for 
> communicating with reputation systems will be needed, and 
> this is a very important area for IETF to address.  
> Transaction rates for lookups will be high, and careful 
> protocol design is needed.  The use of standard protocols in 
> this area will allow clients to pick a suitable reputation 
> service, and to change services without changing their 
> infrastructure.  Both reporting and query protocols will need 
> to be defined.
> 
> Much of this applies to accreditation services as well, 
> although there are some different requirements (negotiating 
> an accreditor to use between sender and recipient/verifier, 
> for example).

Jim makes some excellent points and raises several interesting avenues
of discussion which I would love to pursue.  However, is the DKIM
mailing list the proper forum for doing so?  It was my understanding
that the main item on the table at this time is finalizing the threats
document.  Other venues where it might be better to discuss the topics
Jim raises could be the Anti-Spam Research Group's Identity,
Authentication and Reputation subgroup, or the "dia-blog" associated
with the Open Reputation System project.  The former is quite moribund,
and John Levine is pleading for some activity there.  The ORS dia-blog,
OTOH, is somewhat more active.

Information about the ASRG IAR can be found at
http://asrg.sp.am/subgroups/iar.shtml.  The ORS dia-blog is at
http://ors.blogs4change.org/.  If you are interested in becoming a
designated "author" on the ORS dia-blog please let me know and I will
put you in touch with the person who can enable that for you.

Regards,

Nick


--
 
Nick Nicholas
Knowledge Engineer
Habeas Inc.
650-694-3320
nick at habeas.com

More information about the ietf-dkim mailing list