IETF Logo Mail Archive

Re: [apps-discuss] Updating the status of SPF

Scott Kitterman <scott@kitterman.com> Fri, 12 August 2011 18:14 UTC

Return-Path: <scott@kitterman.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0624521F8779 for <apps-discuss@ietfa.amsl.com>; Fri, 12 Aug 2011 11:14:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tbAAqAkc8NEk for <apps-discuss@ietfa.amsl.com>; Fri, 12 Aug 2011 11:14:05 -0700 (PDT)
Received: from mailout00.controlledmail.com (mailout00.controlledmail.com [72.81.252.19]) by ietfa.amsl.com (Postfix) with ESMTP id 083FF21F8751 for <apps-discuss@ietf.org>; Fri, 12 Aug 2011 11:14:05 -0700 (PDT)
Received: from mailout00.controlledmail.com (localhost [127.0.0.1]) by mailout00.controlledmail.com (Postfix) with ESMTP id E7E4738C12D; Fri, 12 Aug 2011 14:14:40 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2007-00; t=1313172881; bh=aXbKPBMRN/X//4vNwG5PljjtpGuNOWFJGy2q7J53Zr0=; h=From:To:Subject:Date:References:In-Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Message-Id; b=QYY7G7/MbMbtILc8y6dbYuper0NvaS7cKavNlFPd5hffgTkc0mycK9gFDSRI8ifLr k1h8eUmi9VoE8cvMm7FfXDZkOIX6JcRUaq2f7dNOxoYeQdUabKu3VOZd73hNFyghky cUjOKFQpN4bRBtdKPsRbaBmKa4fQ3GTetmDULNmU=
From: Scott Kitterman <scott@kitterman.com>
To: apps-discuss@ietf.org
Date: Fri, 12 Aug 2011 14:14:39 -0400
User-Agent: KMail/1.13.6 (Linux/2.6.38-10-generic-pae; KDE/4.6.2; i686; ; )
References: <20110809225415.89118.qmail@joyce.lan> <201108111351.34118.scott@kitterman.com> <4E456A8A.3050802@dcrocker.net>
In-Reply-To: <4E456A8A.3050802@dcrocker.net>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201108121414.39555.scott@kitterman.com>
X-AV-Checked: ClamAV using ClamSMTP
Subject: Re: [apps-discuss] Updating the status of SPF
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2011 18:14:06 -0000

On Friday, August 12, 2011 02:01:46 PM Dave CROCKER wrote:
> Scott,
> 
> I have some questions about the current draft of the charter.  For the
> moment,
> 
> I'm merely trying to get a better understanding of what is intended:
> >       Determining the trustworthiness of content on the Internet remains
> >       a
> 
> What is meant by "trustworthiness of content"?
> 
> Two examples are that it might mean that it really was created by the
> purported author.  Or it might mean that its contents are "valid" (which
> might invite some discussion about "validity", of course.) There are other
> possibilities.
> 
> > 	(RFC4871).  However, legitimate and illegitimate users alike can
> 
> What is an "illegitimate user"?
> 
> > 	take advantage of these schemes.  What is also required is a
> > 	meaningful assessment of the trustworthiness of the identifier's
> > 	owner.  This in turn permits making a meaningful choice about what
> > 	to do with the associated content.
> 
> Is the work of the group intended to cover "what to do with the associated
> content"?
> 
> > 	The advent of the requirement described above creates a need to have
> > 	reputation data providers make available to consumers data about
> 
> Does "consumers" mean end-users, operators of receiving services, or some
> other group?
> 
> If it means end-users, how are they expected to employ this information
> within the current context of the tools end-users have?
> 
> > 	An existing, standardized reputation query mechanism is
> > 	Vouch-by-Reference (RFC5518), which provides a simple Boolean
> > 	response concerning the acceptability of different types of mail.
> > 	Other application spaces -- such as Web interactions -- could
> > 	benefit from common reputation query mechanisms, especially those
> > 	for which replies need to be more elaborate.
> 
> Given the existence of VBR, why is an additional reputation query mechanism
> needed?  What will be different in the the mechanism and why is the
> difference important?
> 
> Perhaps the new mechanism will be identical to VBR, but merely will have
> the meaning of the response be more general than just email?
> 
> > 	This working group will produce a set of documents defining and
> > 	illustrating the requirement and defining mechanisms to satisfy it.
> > 	Two mechanisms are proposed:
> > 	
> > 	* simple -- a reputation is expressed in a simple manner such as
> > 	
> > 		an integer
> > 	
> > 	* extended -- a response can contain more complex information
> > 	
> > 		useful to an assessor
> 
> Who is going to use each of these mechanisms and why?  Are they
> participating in the discussions so far?  Have they expressed interest in
> implementing the output of the working group?
> 
> > 	The mechanisms will be designed to be application-independent, and
> > 	portable between reputation providers.
> 
> For this topic, what does 'application-independent' mean?
> 
> What does portable between providers mean?
> 
> > 	The group will also produce specifications for reporting reputation
> > 	data from end-points (usually end users, such as someone clicking
> > 	a "report spam" button in response to unwanted email, or a
> > 	"thumbs-up" button in an online rating system) to reputation
> > 	data aggregators for use in computing updated reputations.
> 
> Reporting to whom?
> 
> What will be the basis for choosing among the different possible and
> existing models for reporting spam?
> 
> The language appears to equate reporting by end-users with some other forms
> of reporting.  Is there really a basis for conflating these?
> 
> > 	Reputation systems such as Realtime Block Lists (RBLs, RFC5782)
> > 	can be problematic when not operated properly.  For example, an
> > 	RBL that lists a specific source without justification can do harm
> 
> By 'source' I assume the meaning is of an listed problem domain, rather
> than the source of the report that the domain is a problem?
> 
> > 	to a legitimate business, provoking damages and possible litigation.
> > 	This important topic will need to be discussed in the informational
> > 	portions of the work produced here, in terms of advice both to
> 
> What is meant by "informational portions of the work"?  What output does
> that refer to?

Several people have made suggestions re: a charter to investigate updating RFC 
4408.  I am working on a draft that integrates these comments and distils them 
down a bit.  From you comments though, I think you may have mistaken the 
DOMAINREP charter that Murray pointed to as an example for a draft charter for 
this new proposed work.  It's not.

Please clarify?

Scott K

v2.29.0 | Report a Bug | By Email | System Status