Trent Adams's personal annotations on this page
-
For authentication to be useful, you also need some sort of evaluation mechanism, whether an ad hoc, private whitelist or a trusted, third-party assessment service. Authentication is only one component of a trust service. This, of course, leads to a chicken-and-egg problem trying to get adoption by parties who might not see concrete benefit anytime soon. While the mechanics and operation of authentication are well understood, they aren't cheap to implement. Absent an immediate value proposition, why should an organization go through the expense? Operations folk are not usually swayed by vague promises of eventual benefit. So what are the specific, immediate assessment, whitelist, reputation, certification benefits available for an adopter of DKIM or SPF? Absent a meaningful assessment mechanism, the answer is: none.
-
The simplest is application of classic Bayesian content analysis, to develop a reputation history for a particular identifier. Perform the usual types of statistical evaluation of a stream of messages having the same signature. You will quickly formulate an assessment. If your assessment is negative, you are in the unusual position of knowing who to complain to: Since the message stream is authenticated, there is an explicitly and reliably specified responsible party. If your assessment is positive, you can start treating that stream differently (and better) than messages lacking authentication.
-
The second approach involves a published list, but is much more modest than an all-out certification service. Affiliation Lists (AffiL) is a proposal that Jeff MacDonald, of e-Dialog, and I developed:
"Typically, an affiliation list merely documents an existing relationship, whereas quality assessment statements are the result of incremental and subjective work by the publisher. Hence, affiliations are more easily documented. In terms of using the publication information for performing decision-making by the consumer, the utility of an affiliations list is based on having the consumer of the list perform the quality assessment step, rather than the publisher." (See specification)
Imagine a list published by the Federal Deposit Insurance Corporation (FDIC) of member organizations or one for licensed pharmacists. Membership already exists, even if it is not already published. Such a list would indicate domain names registered to a member. Anything signed under one of these domain names would mean that the signing organization had an affiliation that could be meaningful for a receiver's message handling analysis. The lists do not certify email quality by the signer, but they do provide useful input. While membership would not automatically mean that a receiver should trust the message, it ought to mean a higher level of safety than stray messages coming in from the world of mistrust.
This link has been bookmarked by 1 people . It was first bookmarked on 24 Apr 2009, by Trent Adams.
-
-
For authentication to be useful, you also need some sort of evaluation mechanism, whether an ad hoc, private whitelist or a trusted, third-party assessment service. Authentication is only one component of a trust service. This, of course, leads to a chicken-and-egg problem trying to get adoption by parties who might not see concrete benefit anytime soon. While the mechanics and operation of authentication are well understood, they aren't cheap to implement. Absent an immediate value proposition, why should an organization go through the expense? Operations folk are not usually swayed by vague promises of eventual benefit. So what are the specific, immediate assessment, whitelist, reputation, certification benefits available for an adopter of DKIM or SPF? Absent a meaningful assessment mechanism, the answer is: none.
-
The simplest is application of classic Bayesian content analysis, to develop a reputation history for a particular identifier. Perform the usual types of statistical evaluation of a stream of messages having the same signature. You will quickly formulate an assessment. If your assessment is negative, you are in the unusual position of knowing who to complain to: Since the message stream is authenticated, there is an explicitly and reliably specified responsible party. If your assessment is positive, you can start treating that stream differently (and better) than messages lacking authentication.
- 1 more annotations...
-
Would you like to comment?
Join Diigo for a free account, or sign in if you are already a member.