[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Accreditation NON-Proposal

Subject: RE: Accreditation NON-Proposal
From: "Gordon Fecyk" <gordonf@xxxxxxxxx>
Date: Wed, 17 Mar 2004 19:52:31 -0600
Cc: "IETF MXCOMP" <ietf-mxcomp@xxxxxxx>
List-archive: <http://www.imc.org/ietf-mxcomp/mail-archive/>
List-id: <ietf-mxcomp.imc.org>
List-unsubscribe: <mailto:ietf-mxcomp-request@imc.org?body=unsubscribe>
Sender: owner-ietf-mxcomp@xxxxxxxxxxxx
Thread-index: AcQMVzfBb0cwgd9NTFGtvN1t/wghDgAMjBR3
Thread-topic: Accreditation NON-Proposal

Title: Re: Accreditation NON-Proposal

(Please forgive the HTML - not at my normal desk at the moment.)

Gordon Fecyk <gordonf@xxxxxxxxx> wrote:
>> From: Hallam-Baker, Phillip [mailto:pbaker@xxxxxxxxxxxx]
>
>> But I would certainly accept that we need to change the
>> equation, assume all email guilty until proven innocent.

> I hope you mean that _recipients_ would assume this, as a matter of
individual choice.

Yep. If you're going to hold me to "The recipient decides," then hold me to it here, too. As I've noted, I don't want a third-party to implicitly tell me to treat all senders as suspect until proven otherwise.

> Then it's a matter of how to prove innocence. For me, the
> sender (domain) demonstrating accountability is enough.

> Ah, but what counts as "demonstrating accountability"?

Good question. My idea of demonstrating accountability, at least per domain, is the domain identifying a sending host as one of theirs. All of the proposals to date use this approach to let a domain administration demonstrate accountability. There may be better ways, which is what I believe we're here to find.

> A lot of the
> largest ISPs have an <abuse> mailbox, which even generates pleasant-
> sounding autoreplies, but there's considerable controversy whether
> abuse complaints are acted upon...

That's not very accountable, agreed.

I want to be able to complain to a domain in the following escalating order (this is just my preference): abuse mailbox (if it exists - it's not required), postmaster mailbox, whois contacts, hosting ISP. From there I want to refuse mail from the domain if it's unresolved.

I can't do that if the mail claiming to be from a domain isn't really from the domain, or isn't from a user or host the domain's accountable for.

> > I'd want that demonstrated by the sender (domain) and not by a third
> > party however.

> I'm afraid I don't understand _how_ a sender you have no out-of-band
contact with _could_ demonstrate this.

I'd like to think THAT's one of the reasons we're here. To provide a way for an enterprise to demonstrate e-mail accountability.

> Personally, I'd want multiple third-party evaluations of how
responsive they are to <abuse> reports.

The receiver decides, and I would never fault you for wanting this kind of information before accepting a domain's mail. I'm not comfortable with it and I believe it has too-high a barrier to entry for senders. If the domain administration can tell me directly I'll trust that first. Finding a way for them to tell me, again, is why I believe we're here.

Prev by Date: RE: Draft Charter milestone sequence
Previous by thread: RE: Accreditation NON-Proposal
Next by thread: RE: Draft Charter milestone sequence
Index(es):
- Date
- Thread