RE: [Asrg] Consent Proposal

At 02:09 PM 6/27/2003 -0400, Bob Wyman wrote:

>Yakov Shafranovich wrote:
> > an overall consent framework
>         Yes, I'd like to see that framework... I think there are a
>number of questions that should be answered by it:
>
>         What is the "language" of consent? When you consent, what is it
>that you consent to? Or, when you withhold consent, what is it that you
>withhold consent for? In simple systems, consent is binary and focused
>only on senders. Either a sender may, or may not, send messages.

This is definitely an issue that needs to be defined. I think we need to 
define a broad overview of consent framework and then start working on 
specific issues such as this.

>However, some have proposed that consent be granted in a much more
>granular fashion. Thus, you should be able to consent based on a number
>of attributes such as:
>         0. Identity of sender
>         1. Size of message
>         2. Encoding of message (character sets, HTML, etc)
>         3. Source IP (presence on white/blacklists)
>         4. From: header matches with sending server (i.e. RMX, etc.)
>         5. Presence of signatures
>         6. Presence of attachments
>         7. Rate of message arrival (i.e. only 3 messages per day per
>sender...)
>         8. Words used in message. (i.e. no message using "bad" words)
>         9. Use of Multi-part MIME
>         10. etc...
>         The goal here should be to define the "language" of consent. To
>show what can be said and perhaps understand under what circumstances it
>is reasonable to say these things and what benefit can come from saying
>them. Also, some attention should be paid to the issues of what can and
>cannot be determined by a machine. For instance, a machine can easily
>measure the size of message. A machine can also, in some cases,
>determine what account was used to send a message. However, a machine
>will not be able to determine the actual human who caused a message to
>be sent. (not even with PKI, signatures, etc...)

Very good point.

>         We should distinguish between consent which is implied (by
>reliance on some mechanism such as RMX) or explicit -- i.e. consent that
>is expressed independent of the consent management mechanism in some
>form like a "license to send" or a consent token.
>         Explicit statements of consent have interesting properties
>especially if they are encoded in a machine readable form. For instance,
>a simple expression of consent such as "I don't except mail that
>contains the word 'Viagra'." can be used to parameterize the behaviour
>of spam filters on the recipient's desktop as well as on upstream
>processors such as the recipient's ISP's servers. One might even pass
>such a statement to a potential sender. In one possible world, a sender
>might have a pop-up in their editor that warns them that "Use of the
>word 'Viagra' will prevent delivery of this message to one or more of
>the current recipients."
>         An expression of consent might also serve as a license that can
>be used by the sender. For instance, if I consent to receive mail from
>you, you should be able to use some kind of a token or certificate to
>ensure that your messages bypass interference by any filtering
>mechanisms in the channel between us.

These all are very good points. I will be writing up something later on 
this week and putting in on the list laying out the consent framework and 
different issues that need to be defined.

Yakov 

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg