IETF won't standardise reputation systems yet

The Internet Engineering Task Force (IETF) has abandoned its original intention to standardise reputation systems as part of its effort to curb the effects of spam and email fraud.

The IETF is "a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet". At what was probably the last session of the Domain Keys Identified Mail (DKIM) working group on the occasion of the 73rd IETF Meeting in Minneapolis, most of the experts voted against continuing work in this direction. Dave Crocker, one of the co-authors of the DKIM concept said that, although there were very interesting approaches to possible reputation systems, standardisation, at present, would be premature.

The DKIM signing system permits the authentication of a sending mail server by means of cryptographic hashes of the mail and individual header fields. It was first originated as an anti-spam measure within the IETF, but if this model is to be used to ward off spam, additional assessment of the sender's reputation will be required, because spammers can sign their email too. Crocker said these systems needed to be better understood before work began on a standard.

A DKIM reputation project by the German eco industry association went undiscussed during the IETF's debates. It was recently presented at a meeting of the eco Sender Authentication Working Group, a fringe event during the 6th German Anti-Spam Summit. Florian Sager, head of the eco working group and managing director of Agitos, an IT services provider, said it was, at present, the world's only reputation project based on DKIM. The data accumulated about the DNS by the project, as well as information about blocking lists, have recently been made available.

Sager says only "negative DKIM reputations", i.e. DKIM-signed spam messages, are being listed for now and that DKIM is preferable to traditional lists of IP blocks, because it permits more precise filtering. Filtering can moreover be based on domains, which have a longer period of validity than IP addresses, and that in particular enables the number of false positives to be reduced.

Sager believes combining this with the Certified Sender Alliance (CSA) begun in 2004 by eco and the Direct Marketing Association, which puts advertising enterprises on a positive list in return for a membership fee and acceptance of the rules of the game, makes sense, but CSA senders will first have to change over to the DKIM signing method. DKIM is still less widely used than its precursor, Sender Policy Framework (SPF).

At the IETF meeting in Minneapolis, Robert Morgan of the University of Washington reported on a project to use DKIM signing to safeguard email exchanges between the universities taking part in the Internet2 research network.

Phillip Hallam-Baker, a VeriSign representative in Minneapolis, proposed that a DKIM signature be supplemented with a certificate giving access to further information about the sender that had been confirmed by a third party. The DKIM working group decided that this draft proposal, which may have some connection with VeriSign's certification business, will be pursued as an individual proposal rather than as an add-on to the DKIM standard.

The cautious way the IETF handles standardisation in the matter of spam is evidenced by its downgrading of a proposal from the IETF/IRTF Anti-Spam Research Group (ASRG) for a unification of blacklists and whitelists. This, the IETF leadership has now decided, will be published as an informational document rather than as a standard.

The IETF's invitation to submit opinions on the final draft version of its document drew a heavy flood of comments. A further memo on the rules governing blocking lists is still in the ASRG pipeline.

(Monika Ermert)

(lghp)