Re: The Value of Reputation (was Re: [ietf-dkim] Re: WG Review: Domain Keys Identified Mail (dkim))
Nathaniel Borenstein [EMAIL PROTECTED] wrote: On Dec 24, 2005, at 4:09 PM, Douglas Otis wrote: Reputation remains the only solution able to abate the bulk of abuse. ... I think most of us pretty much agree about the critical role of reputation. I've noticed a lot of what I call lip service about the critical role of reputation. To say this differently, many folks seem to think you can choose a reputation system almost at random, and it's sure to improve your signal/noise ratio, unless you've chosen the wrong one. (which, I suppose, is a tautology...) But, in my view, we have no basis to choose the right one unless we have a good understanding of what it measures and a workable idea of how to end run when it falsely rejects good messages. I see the cycle as going like this: We need at least one standardized, moderately-useful system for weakly authenticating the sources of messages. Once we have that, we have the minimal data that a reputation system will require to be able to start doing something at least mildly useful. A lot depends on what we mean by weakly authenticating. People who take security seriously always call the authentication inherent in an established TCP connection weak authentication; but in fact it represents a pretty-darn-good correlation. Thus blacklists based on IP address alone have an excellent correlation to sending SMTP clients which have, at some time, sent abusive email. (Their problems lie elsewhere.) OTOH we have schemes running which don't claim correlation much above 60%, and offer no assurance the correlation will remain that high. These, IMHO, don't qualify as useful authentication, but it's hard to argue they fail to be weak authentication. Once we have *that*, we will have (in our reputation systems) a built in market for additional systems for (perhaps less weakly) authenticating the desirability (not necessarily solely due to the source) of incoming messages. I don't agree with Nat here. As a practical matter, _many_ folks will prefer sorting through 100 spams to losing one good email. I see darn little market for anything which can't get it 99% right. What I think we're seeing is folks that design a system for their own use, achieve an accuracy of sorting sufficient for their needs, and offer it to others because they see their marginal cost (per new customer) as essentially zero. Further, until the customer abandons an existing method, the barrier to adopting an additional method is pretty close to 99% correct identification of email which passed the existing method(s). This is _not_ an encouraging situation for entrepreneurs. To some extent, there's a chicken-and-egg problem with authentication and reputation technologies. My hope for DKIM is that it will give us one good enough egg to produce a chicken, which can then (in much the manner that Cain and Abel found their wives, I guess) facilitate a whole new generation of authentication technology eggs. I find the challenge of designing a reputation system based in DKIM a bit overwhelming. DKIM offers assurance that a domain has taken part in the transmission of an email message containing certain headers (which the recipient probably never sees), but no assurance that anything else hasn't been changed since then. There's no assurance that the message isn't a replay attack, nor is there assurance that the original hasn't been lost. This is _not_ an attractive base upon which to build reputation. When reputation is applied against an authorization as an identifier, innocent email-address domain owners will be seriously harmed. Abusers will find acceptance methods for an authorization scheme. Doug is complaining about the difficulty of designing a useful reputation system on such a base. I entirely agree with him there. But I wish it to be clear I am not complaining about reputation services being out-of-scope in the DKIM charter. I prefer it that way: otherwise I'd be facing a serious challenge trying to cobble on a useful reputation heuristic, with really no hope of meeting the charter deadlines. I'm really not complaining at all: I'm just trying to bring some sense of reality to what we should expect of DKIM-based reputation systems. Yes, every one of these schemes will be flawed. That is why we need to understand A) the role of weak authentication (weeding out some but not all of the bad guys at any point in time, and using multiple sources of information to judge the desirability of a message) Expressed this vaguely, there's nothing to understand. We'd need useful estimates of what fraction of bad guys will be weeded out and what fraction of good guys are (wrongly) weeded out. I'm not sure any useful estimates of that can be found. and B) the need for a continually evolving set of (ever-stronger, we hope) mechanisms for proving that a message is desirable to the recipient. This
The Value of Reputation (was Re: [ietf-dkim] Re: WG Review: Domain Keys Identified Mail (dkim))
On Dec 24, 2005, at 4:09 PM, Douglas Otis wrote: On Fri, 2005-12-23 at 17:27 -0500, Nathaniel Borenstein wrote: Far from trying to leave only one authorization method, the DKIM effort is an attempt to show, by example, how an arbitrary number of such methods might eventually be elaborated and standardized. There is danger viewing any abuse control mechanism as representing a authorization scheme. The control method should strive to identify the source of abuse, and not just whether the message has been authorized. The DKIM signature provides a fairly strong indication of the message source, with a normal potential for abusive replay as with any cryptographic method. I'm sorry, the authorization method was an echo of the term used in the mail I was replying to (which is why it was in quotes). I was really trying to generalize to a whole range of technologies without making my wording too awkward. Perhaps I should have replaced such methods with antimalware technologies or abuse control mechanisms. In any event, I fully agree that the term authorization, in this context, is both A) insufficiently generalized, and B) troublesome on countless philosophical grounds. Reputation remains the only solution able to abate the bulk of abuse. The word only makes me cringe a bit in any discussion like this (a global fascist state, for example, is another possible solution), but I think most of us pretty much agree about the critical role of reputation. I see the cycle as going like this: We need at least one standardized, moderately-useful system for weakly authenticating the sources of messages. Once we have that, we have the minimal data that a reputation system will require to be able to start doing something at least mildly useful. Once we have *that*, we will have (in our reputation systems) a built in market for additional systems for (perhaps less weakly) authenticating the desirability (not necessarily solely due to the source) of incoming messages. To some extent, there's a chicken-and-egg problem with authentication and reputation technologies. My hope for DKIM is that it will give us one good enough egg to produce a chicken, which can then (in much the manner that Cain and Abel found their wives, I guess) facilitate a whole new generation of authentication technology eggs. When reputation is applied against an authorization as an identifier, innocent email-address domain owners will be seriously harmed. Abusers will find acceptance methods for an authorization scheme. Yes, every one of these schemes will be flawed. That is why we need to understand A) the role of weak authentication (weeding out some but not all of the bad guys at any point in time, and using multiple sources of information to judge the desirability of a message) and B) the need for a continually evolving set of (ever-stronger, we hope) mechanisms for proving that a message is desirable to the recipient. Some of those mechanisms will also involve (ever-stronger, we hope) sender authentication, but others could eventually involve technologies as unrelated to authentication as anonymous payment. -- Nathaniel ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: The Value of Reputation (was Re: [ietf-dkim] Re: WG Review: Domain Keys Identified Mail (dkim))
On Dec 27, 2005, at 7:33 AM, Nathaniel Borenstein wrote: I'm sorry, the authorization method was an echo of the term used in the mail I was replying to (which is why it was in quotes). I was really trying to generalize to a whole range of technologies without making my wording too awkward. Perhaps I should have replaced such methods with antimalware technologies or abuse control mechanisms. In any event, I fully agree that the term authorization, in this context, is both A) insufficiently generalized, and B) troublesome on countless philosophical grounds. The response was specifically against the use of authorization. With respect to SPF/Sender-ID or SSP, these are indeed email-address authorization schemes. With Sender-ID, authorization has been incorrectly described as form of authentication, and much like Sender-ID, SSP appeared more by way of introduction rather than discussion. All of these authorization schemes, especially SSP, will disrupt the delivery of legitimate email. This authorization scheme also proposes untold numbers of DNS lookups for perhaps any number of From addresses and signatures. The art of open-ended authorizations (burden shifting) in SSP will soon include authorized signature lists. SSP also considers itself a weak form of authentication by directing complaints to email-address rather than the signer. : ( Reputation remains the only solution able to abate the bulk of abuse. The word only makes me cringe a bit in any discussion like this (a global fascist state, for example, is another possible solution), but I think most of us pretty much agree about the critical role of reputation. Some view a closed system, rather than a system open to tens of millions of email-address domains, as an alternative to reputation. Even in that austere system however, each would consider their access contingent upon their reputation for good behavior. Reputation is an unpleasant reality where identifying those culpable for abuse _must_ _not_ be taken lightly. I see the cycle as going like this: We need at least one standardized, moderately-useful system for weakly authenticating the sources of messages. I see the base DKIM draft forming a solid basis to identify email sources. The ill considered SSP draft will seriously hinder the DKIM effort. Serious problems are already being handled by way of burden- shifting, rather than considering real solutions. The related expense associated with an imposition of a disruptive email-address authorization scheme does not justify this component's inclusion within the DKIM charter. With far less overhead, spoofing attempts can be thwarted without email-address authorizations. Many of the serious crimes depend upon embedded links rather than use of an email- address (which are never seen by the majority of recipients). A solid basis for the source of an email-address will significantly enhance protective strategies. It is a dangerously false premise that an authorization scheme offers protection, as any assurance in that regard will increase the success rate of criminal fraud. Once we have that, we have the minimal data that a reputation system will require to be able to start doing something at least mildly useful. Please note authentication does _not_ include SSP. Once we have *that*, we will have (in our reputation systems) a built in market for additional systems for (perhaps less weakly) authenticating the desirability (not necessarily solely due to the source) of incoming messages. To some extent, there's a chicken- and-egg problem with authentication and reputation technologies. My hope for DKIM is that it will give us one good enough egg to produce a chicken, which can then (in much the manner that Cain and Abel found their wives, I guess) facilitate a whole new generation of authentication technology eggs. Agreed. Do not let the ill conceived SSP derail DKIM. When reputation is applied against an authorization as an identifier, innocent email-address domain owners will be seriously harmed. Abusers will find acceptance methods for an authorization scheme. Yes, every one of these schemes will be flawed. That is why we need to understand A) the role of weak authentication (weeding out some but not all of the bad guys at any point in time, and using multiple sources of information to judge the desirability of a message) and B) the need for a continually evolving set of (ever- stronger, we hope) mechanisms for proving that a message is desirable to the recipient. Some of those mechanisms will also involve (ever-stronger, we hope) sender authentication, but others could eventually involve technologies as unrelated to authentication as anonymous payment. To ensure email does not self-destruct, use of reputation against authorizations _must_ be avoided as imposing highly unfair
