Jim Fenton <fenton@xxxxxxxxx> wrote: > John Leslie wrote: > >> But, in my view, we have no basis to choose the "right" one unless >> we have a good understanding of what it measures and a workable idea >> of how to "end run" when it falsely rejects good messages. > > I completely agree that reputation has a critical role (although > accreditation is important in many situations, as Phill has pointed out, > and should not be ignored). However, I have come to believe that there > is a great deal of subtlety below the surface of any good reputation system: > > - Preventing abusers from "gaming the system" to get good scores This, IMHO, can never be standardized. We can ask for a web page (subject to change without notice) detailing what is measured, but I doubt we could even standardize the questions such a web page should answer. > - Preventing attackers from damaging the reputations of others This is an area which could benefit from standardization, IMHO. I'm not sure, though, whether consensus is attainable. I think CSV did a reasonable job here. While I think SPF fails at this, I doubt we'd ever get the SPF folks to agree. > - Defending the reputation system against legal actions from those who > feel they have been hurt I think we should steer clear of this issue. > - Making it all work within the law, considering privacy laws, restraint > of trade, and so forth, considering that the laws governing this vary > by jurisdiction I see no point in trying to standardize for conflicting jurisdictions. > For this reason, I don't think the operation of reputation systems > themselves should be defined by IETF; different users will have > different needs. I entirely agree. > However, standard protocols for communicating with reputation systems > will be needed, and this is a very important area for IETF to address. I would very much like to do so. > Transaction rates for lookups will be high, and careful protocol design > is needed. The use of standard protocols in this area will allow > clients to pick a suitable reputation service, and to change services > without changing their infrastructure. Ease of changing reputation services trumps most other considerations, in the real world. > Both reporting and query protocols will need to be defined. Reporting, IMHO, needs a standardized minimal-set, not a full set. Query protocols should see _a_ standard query, which need not necessarily return all available information. > Much of this applies to accreditation services as well, although there > are some different requirements (negotiating an accreditor to use > between sender and recipient/verifier, for example). In CSV, we standardized a way for sender to advertise accreditor(s). I'm not sure if anything beyond that will be practical. The question of standards for reputation and accreditation, IMHO, deserves IETF work and could deliver great value. But to be clear, I do not think it belongs in DKIM. -- John Leslie <john@xxxxxxx> _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf