Re: [Asrg] request for review for a non FUSSP proposal

Claudio Telmon <> Tue, 23 June 2009 21:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 36DC928C0E2 for <>; Tue, 23 Jun 2009 14:26:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.612
X-Spam-Status: No, score=-0.612 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Axxbi-BQvqkD for <>; Tue, 23 Jun 2009 14:26:46 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CFBD33A6C99 for <>; Tue, 23 Jun 2009 14:26:45 -0700 (PDT)
Received: from ([::ffff:]) by via I-SMTP-5.6.0-560 id ::ffff:; Tue, 23 Jun 2009 23:26:59 +0200
Message-ID: <>
Date: Tue, 23 Jun 2009 23:26:59 +0200
From: Claudio Telmon <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20090318 Lightning/0.8 Thunderbird/ Mnenhy/
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] request for review for a non FUSSP proposal
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Jun 2009 21:26:48 -0000

Douglas Otis wrote:

> Your strategy requires servicing a method that does not depend upon
> "pass-tokens" as a means to obtain them. 

Tokens can be obtained trough a "consent request" email message, which
is a normal "text only" message with some constraints, or trough some
other communication channel, including face by face meetings. Other,
more powerful or easy means to obtain token would probably mean that the
address owner would be flooded by spam hiding as consent request, or
that tokens could be surreptitiously obtained.

> The task of collecting source
> specific tokens represents a fair amount of administrative effort for
> both senders and recipients that is likely to be problematic.  Not good.

This kind of evaluation is a critical one for the model the framework is
based on. I take the cell phone numbers as an example. Most of us has
hundreds of cell phone numbers, (almost) none of which has been obtained
automatically. We took the burden of collecting them, and usually, if we
need to contact somebody, and this person is willing to talk with us, we
manage to get a phone number through one of the many communication
channels that are offered to us. We also happily take the burden of
distributing by hand our cell phone number, even if we could just put it
on phone directories and have it automatically distributed, because we
understand the advantages of not distributing it. I would say, most of
us is more unhappy with the ease unknown people can contact us through
email, than with the difficulties they have contacting us through our
cell phone.

> Spitting the email-address onto separate headers is problematic.  In
> addition, what one MTA might understand may not apply to the subsequent.

I think this is a technical problem the framework deals properly with. I
may be missing something, of course. And, it requires an extension to SMTP.

> Review how one might use <local-part>"+"<tags> :

Yes, I wrote a detailed answer on this to Seth in a previous message.

> Then imagine this acceptance criteria is combined valid DKIM
> respondent's messages.

I don't think this would solve the problem of address (that is, tag)
disclosure in messages with multiple recipients.

> As yet a better alternative, to thwart wasted and undesired exchanges,
> an exchange by reference offers an inherent means to authenticate
> sources without cryptography, and avoid undesired exchanges.

Maybe I didn't catch this one, but tokens can be exchanged between
users, so a "reference" would just be the use of the same token. But
probably I didn't understand what "exchange by reference" is, google
just gives me some cryptic pages on taxation and foreign currency :)


Claudio Telmon