4. Survey - Consent Model - Tokens (was Re: [Asrg] Nothing will stop spam???)
Yakov Shafranovich <research@solidmatrix.com> Mon, 14 July 2003 00:47 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA09971 for <asrg-archive@odin.ietf.org>; Sun, 13 Jul 2003 20:47:10 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19brUG-00021X-QS for asrg-archive@odin.ietf.org; Sun, 13 Jul 2003 20:46:43 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h6E0ke28007773 for asrg-archive@odin.ietf.org; Sun, 13 Jul 2003 20:46:40 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19brUG-00021I-ML for asrg-web-archive@optimus.ietf.org; Sun, 13 Jul 2003 20:46:40 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA09965; Sun, 13 Jul 2003 20:46:37 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19brUE-0000HB-00; Sun, 13 Jul 2003 20:46:38 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19brUD-0000H8-00; Sun, 13 Jul 2003 20:46:37 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19brTe-0001yE-5K; Sun, 13 Jul 2003 20:46:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19brT0-0001xx-PE for asrg@optimus.ietf.org; Sun, 13 Jul 2003 20:45:22 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA09934 for <Asrg@ietf.org>; Sun, 13 Jul 2003 20:45:19 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19brSy-0000GR-00 for Asrg@ietf.org; Sun, 13 Jul 2003 20:45:20 -0400
Received: from 000-234-318.area5.spcsdns.net ([68.27.154.131] helo=68.27.154.131) by ietf-mx with esmtp (Exim 4.12) id 19brSu-0000GN-00 for Asrg@ietf.org; Sun, 13 Jul 2003 20:45:18 -0400
Message-Id: <5.2.0.9.2.20030713204439.00b394b0@solidmatrix.com>
X-Sender: research@solidmatrix.com
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
To: "C. Wegrzyn" <wegrzyn@garbagedump.com>, Kee Hinckley <nazgul@somewhere.com>
From: Yakov Shafranovich <research@solidmatrix.com>
Subject: 4. Survey - Consent Model - Tokens (was Re: [Asrg] Nothing will stop spam???)
Cc: Selby Hatch <selby_hatch@azza.com>, Asrg@ietf.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-MimeHeaders-Plugin-Info: v2.03.00
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Sun, 13 Jul 2003 20:44:53 -0400
Tokens can be based on a challenge/response mechanism, can be verified by trusted third parties such as CAs, etc. The whole notion of "consent tokens" is really a very generic terms that can encompass all types of tokens. The consent framework and any consent protocols must be able to support multiple token types, and allow for extensibility so new token types can be defined. Yakov At 07:50 AM 7/9/2003 -0400, C. Wegrzyn wrote: >There are really two ways to handle this it seems. First is the notion of >"consent" token that travels with the message; this is the key that >unlocks the door on the receipient's email system. The second is the idea >of a list kept at the receipient's email system. > >The consent token traveling with the email seems to be somewhat >problematic. It would have to prevent middlemen attacks and for that to >happen the token would need to encode the source of the email message. I >believe that is a problem. For instance I have two email clients with two >different email addresses - one being the company I work at and the other >being my personal account. Now if the token includes the originating >address I would have to have two different tokens. I would think we would >want a single token regardless of where I am and whatever address I use >and that would make a lot of work. But this single token would make it >susceptible to middleman attacks. > >In the receiver side screening mechanism, the second idea, I keep track of >addresses that I am willing to accept. As noted earlier very little mail >is sent through multiple MTA's (though I can tell you of one case that it >will happen!). This is patently more simple. I both cases - the token and >screening - I need to keep something to note who to allow through. But in >the former instance the sender needs to do something as well. Seems like >more work. > >Am I missing something here? > >Peace, >Chuck Wegrzyn > > > >Kee Hinckley wrote: > >>At 9:14 PM -0600 7/7/03, Selby Hatch wrote: >> >>>I view the consent token as a separate entity from the email address. >>>The consent token would be inserted from some source (address book, >>>keyboard, token repository, etc.) into a header by the MUA >> >> >>That's in the case of my sending email to someone else. I'm trying to >>figure out how a separate consent token fits into the case of my >>subscribing to this mailing list (for instance). >> >>>Yes, unfortunately, unless you have a private domain, changing email >>>addresses requires notifying senders. But, it should not require >>>giving out new consent tokens. The consent framework should be such >> >> >>Again, recipient vs. sender issue. I should be fine receiving from >>people I've agreed to receive from. However what is the process for >>updating *their* consent to receive from *me*? And how does it work if I >>don't get the opportunity to notify them until *after* the change. (E.g. >>just got laid off.) > > > >_______________________________________________ >Asrg mailing list >Asrg@ietf.org >https://www1.ietf.org/mailman/listinfo/asrg _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- 4. Survey - Consent Model - Tokens (was Re: [Asrg… Yakov Shafranovich