Re: [Asrg] Trust, misunderstood?
"C. Wegrzyn" <wegrzyn@garbagedump.com> Wed, 02 July 2003 21:02 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA17440 for <asrg-archive@odin.ietf.org>; Wed, 2 Jul 2003 17:02:59 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XokM-0006QW-2W for asrg-archive@odin.ietf.org; Wed, 02 Jul 2003 17:02:34 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h62L2YUX024701 for asrg-archive@odin.ietf.org; Wed, 2 Jul 2003 17:02:34 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XokL-0006QK-Ve for asrg-web-archive@optimus.ietf.org; Wed, 02 Jul 2003 17:02:33 -0400
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA17410; Wed, 2 Jul 2003 17:02:28 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19Xojp-0006Ja-1s; Wed, 02 Jul 2003 17:02:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XojN-0006Iy-AS for asrg@optimus.ietf.org; Wed, 02 Jul 2003 17:01:33 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA17377 for <asrg@ietf.org>; Wed, 2 Jul 2003 17:01:27 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19XojJ-0000Wv-00 for asrg@ietf.org; Wed, 02 Jul 2003 17:01:29 -0400
Received: from mxsmta03.inithost.com ([209.235.30.105] helo=mxsmta03.dellhost.com) by ietf-mx with esmtp (Exim 4.12) id 19XojI-0000Wp-00 for asrg@ietf.org; Wed, 02 Jul 2003 17:01:28 -0400
Received: from garbagedump.com ([24.128.102.183]) by mxsmta03.dellhost.com (InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with ESMTP id <20030702210318.JOQX28645.mxsmta03.dellhost.com@garbagedump.com>; Wed, 2 Jul 2003 17:03:18 -0400
Message-ID: <3F03482F.8040804@garbagedump.com>
From: "C. Wegrzyn" <wegrzyn@garbagedump.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4a; MultiZilla v1.4.0.4A) Gecko/20030612
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Danny Angus <danny@apache.org>
CC: asrg@ietf.org
Subject: Re: [Asrg] Trust, misunderstood?
References: <HKEFKPNPJLANNFPFMDKJCENJIIAA.danny@apache.org>
In-Reply-To: <HKEFKPNPJLANNFPFMDKJCENJIIAA.danny@apache.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Wed, 02 Jul 2003 17:01:35 -0400
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Danny, Other than providing a means for parties to accepting "trusting" senders, this is exactly what I implemented. I assumed that OOB was used to validate the trust. I didn't use PGP but felt CA's were the better way to go (personal belief). Chuck Wegrzyn Danny Angus wrote: >Hi all, > >There's been some talk about trust systems recently, I think I instigated >some of it, and I feel that a number of comments have been made which kind >of miss the point about trust. I'd like to outline my take on trust and why >I believe trust should be considered by this group. > >First off trust isn't an absolute. Realistically I can only trust people I >know, and even then I could misjudge them. To rely on another person's >judgement is more risky still. It is also all wrong to think of trust as YES >or NO, there are degrees of trust, some people we'd trust with our lives, >others with our car keys, yet more with our phone numbers. We don't say YES >or NO to the phone number guys, we say "I trust you just enough not to abuse >this information" > >Secondly in existing trust mechanisms it is possible, but not widely used, >for end users to make decisions about whom of trust issuers they will trust, >and accept the judgement of in assessing an unknown third party. > >For example It is possible to score PGP keys according to who I trust and >why, my immediate circle get full marks, those known to them will be assumed >to have a high degree of trust worthiness, and so on. When I encouter a >third party I can make a judgement according to how many of the people I >trust, and how much I trust them, have signed the certificate. > >Likewise revocation could have a detrimental affect if a close associate of >mine has revoked their trust, less effect if I don't trust the revoker. > >SSL certificates can be revoked if client software actually bothers to check >revokation lists. > >Now Email: > >Forming a judgement about whether or not to trust, and to what extent, an >unknown sending MTA is about much more than checking a certificate. >Of course a signed certificate, signed by someone I trust, can influence my >decision, like wise I can consider RBL's and other blacklists, reverse DNS >etc, etc. I could attempt to relay mail through a suspect host myself if I'm >suspicious. > >So what I propose for the basis of a trust system would be for a mechanism >by which SMTP can temporarily block a transaction in order for the recipient >to carry out checks and create a trust score for the sending MTA. > >If this mechanism provides for the optional exchange of certificates these >can be included in the calculation. > >My Trust system would allow mail admins to set rules and thresholds for >trust, allowing admins to raise and lower the barrier of trust which could >be crossed *automatically* by well behaved hosts. Other hosts could be >rejected out of hand or sin-binned until a more thourough check is carried >out. > >I could offer my scores to my friends. Who, if they trust my judgement, >could use this to help in making their judgement. > >The commercial madness which is the "installed root CA certificates" of the >browsers is idiotic, I have no reason at all to trust verisign or thawte who >are those guys?!? But if my (they are respectable!) ISP had signed a >certificate, or offered me their tust rating for a host I'd be much more >likely to trust that host a bit. > >Unfortunately I'm going away for a week so I won't be able to respond to >anyones comments (or flames!) 'till I get back. > >d. > > >_______________________________________________ >Asrg mailing list >Asrg@ietf.org >https://www1.ietf.org/mailman/listinfo/asrg > > > _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- RE: [Asrg] Consent Proposal Peter Kay
- [Asrg] Consent Proposal Mark McCarron
- Re: [Asrg] Consent Proposal Jon Kyme
- [Asrg] Trust, misunderstood? Danny Angus
- [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Jon Kyme
- Re: [Asrg] Consent Proposal Barry Shein
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Peter Kay
- Re: [Asrg] Consent Proposal Selby Hatch
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Vernon Schryver
- RE: [Asrg] Consent Proposal Peter Kay
- RE: [Asrg] Consent Proposal Peter Kay
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Peter Kay
- [Asrg] Consent Proposal gep2
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Bob Wyman
- Anticipatory whitelisting (was Re: [Asrg] Consent… Bruce Stephens
- Re: [Asrg] Consent Proposal Jon Kyme
- Re: [Asrg] Consent Proposal Jon Kyme
- Re: RE: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Barry Shein
- RE: [Asrg] Consent Proposal Peter Kay
- Re: [Asrg] Consent Proposal Walter Dnes
- Re: RE: [Asrg] Consent Proposal Jon Kyme
- Re: [Asrg] Consent Proposal Jon Kyme
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Fwd: Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Fwd: Re: [Asrg] Consent Proposal Yakov Shafranovich
- Fwd: Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: Fwd: Re: [Asrg] Consent Proposal Craig Cockburn
- Re: Fwd: Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: Anticipatory whitelisting (was Re: [Asrg] Con… Yakov Shafranovich
- Re: Fwd: Re: [Asrg] Consent Proposal Jon Kyme
- Re: [Asrg] Consent Proposal Danny Angus
- RE: Fwd: Re: [Asrg] Consent Proposal Jon Kyme
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Bob Wyman
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Howard Roth
- Re: RE: [Asrg] Consent Proposal Jon Kyme
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Danny Angus
- Re: [Asrg] Consent Proposal Markus Stumpf
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Danny Angus
- Re: [Asrg] Consent Proposal Markus Stumpf
- Re: [Asrg] Consent Proposal C. Wegrzyn
- Re: [Asrg] Consent Proposal Markus Stumpf
- Re: [Asrg] Consent Proposal C. Wegrzyn
- Re: [Asrg] Consent Proposal Markus Stumpf
- Re: [Asrg] Consent Proposal C. Wegrzyn
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Trust, misunderstood? Yakov Shafranovich
- Re: [Asrg] Trust, misunderstood? C. Wegrzyn