On 7/9/19 11:09 AM, Ted Lemon wrote: > On Jul 9, 2019, at 12:03 PM, John Bambenek > <[email protected] > <mailto:[email protected]>> wrote: >> I cannot coerce anything. I represent nothing that represents even a >> molecule of the network to coerce or enforce anything. I hope incentives >> will be created, and those may be purely positive incentives (mails more >> likely to be delivered, etc). > > This is why I keep asking you for a clear use case. What you are > describing here is a real problem. The solution to that problem is > not to publish everyone’s private information in a huge public database. > Everyone is not the scope. People who chose to is the scope. Heck, "everyone" includes people who aren't domain operators also.
Use cases: - Victim notification of compromised webpages or abuse reports. - Use in reputational systems to better calibrate security policy to trust "good" sources and mistrust "bad" sources. - Aid in investigations, correlate malicious infrastructure, etc. >> To put your argument in another way, I as someone who protects uses >> should NOT have information with which I could potentially reliably >> block malicious individuals could be another way to frame your position. >> That's a position. > > Whether or not you should have this information has no bearing on > whether it should be in a public database. There are much better ways > to solve this problem, which require no privacy violation at all. > Just as one example, if I establish mutual trust with everyone I’m > corresponding with, then we can set up a mechanism whereby any mail > from a source with which trust has not been established can be dropped > automatically. This does not require a public database with my > personal identifying information. It can probably even be done in > such a way that you don’t have a map of who knows whom, although > that’s a hard problem. But even if it were done in such a way that it > gave you, someone with whom I have a business relationship, > /private/ access to my contact graph, that would be much less bad than > making all of my personal information public. > It would be in a public database in one instance only: Someone chooses to put it there. Ok, if there is a better solution, I'm listening. I'm not hear to mandate a path, I started a discussion. What technical mechanism can be implemented that scales that can facilitate mutual trust with everyone an organization corresponds with? And again, this proposal doesn't require anything and it certainly doesn't do a proposal for "all your personal information", there are only four classes of OPTIONAL data: name, email, phone, address. And it can be role-based information. You could presumably fill all four of those out validly and expose NO personal information.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
