[Asrg] On assertions

Steve Atkins steve at blighty.com
Tue Jul 29 11:01:56 PDT 2008 

On Jul 29, 2008, at 10:33 AM, der Mouse wrote:

>> A self-assertion which has a positive effect on the delivery rate of
>> the apparent sender is unlikely to be believed, as any crook can make
>> that assertion, and many will.
>
> It's not quite so clear to me.
>
> A self-assertion on the part of a sender which if believed would have
> positive effect on mail _apparently_ from that sender, well, mostly
> agreed, but see below.
>
> A self-assertion on the part of a sender which if believed would have
> positive effect on mail _actually_ from that sender seems like a
> clear-cut case, but it's not quite so simple.  Such assertions are
> unlikely to be accepted blindly, but they _can_ be of use in that they
> inherit the claimer's reputation: a sender with a good reputation can
> usefully make such claims.

I'm talking about simple self-assertions. Once you put a reputation
system into this then it's a completely different game (but, once  
there's
a reputation system in play then the benefits of positive self- 
assertions
are... unclear).

If you know through some other means that the actual sender is
trustworthy then there are other possibilities for a receiver to make
some use of assertions that sender makes about a particular piece
of email (as in TEOS) but I'm not sure there's much real world demand
for that.

>> A self-assertion which has a negative effect on the delivery rate of
>> the apparent sender of mail is likely to be believed, as there's no
>> real incentive for the domain owner to publish it, apart from
>> "because it's true". "I send no mail" is the obvious example of that.
>
> I disagree that there's no incentive to apparent senders to publish
> such assertions: it makes them less attractive forgery targets.  If  
> the
> entity has a good reputation in non-email respects, this may be a
> substantial benefit.

Yup. But there's no incentive to make a false negative self-assertion,
in any obvious case I can think of. The benefits are when it's true.

>> sent in-band perfectly well - it's prima facie false in that case,  
>> but
> that's not the same thing.  (Admittedly, this is hairsplitting.)
>
>> Many other assertions are transmitted in-band "This is a mime
>> message", "This was sent on this date", "this was sent by this
>> person", "this is an html message" and so on.
>
> Interesting you mention "this was sent by this person", because that's
> an example of a self-assertion that can improve delivery - many
> recipients use per-apparent-sender whitelists.  The major reason such
> assertions aren't useless in practice, I think, is that the  
> assertion's
> effect is recipient-dependent.


The contents of the "From:" address, an smime signature, a dkim
signature, pgp encapsulation and a .sig file are all assertions that
"this was sent by this person".

Some are more trustworthy than others, but they're all useful to
base delivery decisions on - but only after you've tied them into
some sort of reputation system.

Cheers,
   Steve

More information about the Asrg mailing list