19 Nov 22:15
Standardizing reputation query mechanisms
Robert Barclay <rbbarclay <at> gmail.com>
2004-11-19 21:15:08 GMT
2004-11-19 21:15:08 GMT
Lately, despite the low level of activity on this list, there has been a great deal of activity in the development of a new generation reputation services beyond the existing blacklist/whitelist paradigm. Several (including one I am working on) either are available in some state currently or are in development This is an exciting development for the email industry in general, but does present some challenges. The primary one is that most of these services are commercial to some extent or another which makes sharing information difficult. Despite this, an overwhelming concern I have heard from ISPs and MTA vendors is that each of the developing services is publishing its data in a slightly different way, and beyond that several protocols have been suggested as standards for querying this data. An area where it should be possible for all of us to work together without the problems of commercial damage is in development and deployment of a standard protocol for publishing and querying reputation data. This problem is much more complicated than it may on its face appear, because reputation services will have a much wider range of sematics than traditional blacklists. They will return different levels of granularity of data, from a single binary score, to a huge range of scores over individual data points or even customized scores for individual queriers. Or tey may provide a list of suggested actions to be taken. They may have a need to allow email receivers to guide the semantics of the query (e.g. I want elements x,y,and z but not the other 23). The advantage of getting us all to agree on the mechanisms to access and exchange this data is that the mechanism can be built into every MTA (if desired) and all of the systems will be supported without need to develop new libraries every time someone creates a system. A standard protocol also makes it more straightforward to compare various services to decide which are useful. I am currently compiling a list of requirements I have heard from many of the people I have spoken to (with no attempt to remove incompatible ones or prioritize them as of yet). I intend to get this sent out this evening or tomorrow at the latest. From there I hope for meaningful discussion on these requirements (or goals if that term is less controversial) and then to move on to comparison of the various proposed protocols against the goals to see where they fit, where they don't, and whether they can be made to fit. The ultimate goal would be that there was a single protocol widely agreed upon that people deploy in their software and which all of the reputation services can use as a publication format. Just to clarify this one step further I will state as an objective that we have actual deployments within the first quarter of next year and not just endless debate. I have copied a few people directly because I am not sure if they are currently subscribed to this list. For those of you not subscribed please contact chairs <at> asrg.sp.am if you are interested in joining. Similarly if I have missed anyone who you think should join please invite them Regards, Robert Barclay Return Path, Inc. rbarclay <at> returnpath.net
RSS Feed