Reputation Services (repute)
----------------------------

 Charter
 Last Modified: 2011-12-09

 Current Status: Active Working Group

 Chair(s):
     Dave Crocker  <dcrocker@bbiw.net>
     Chris Lewis  <clewis+ietf@mustelids.ca>

 Applications Area Director(s):
     Pete Resnick  <presnick@qualcomm.com>
     Barry Leiba  <barryleiba@computer.org>
     Peter Saint-Andre  <stpeter@stpeter.im>

 Applications Area Advisor:
     Pete Resnick  <presnick@qualcomm.com>

 Mailing Lists: 
     General Discussion:domainrep@ietf.org
     To Subscribe:      https://www.ietf.org/mailman/listinfo/domainrep/
     Archive:           http://www.ietf.org/mail-archive/web/domainrep/

Description of Working Group:

    In the open Internet, making a meaningful choice about the handling
    of content requires an assessment of its safety or "trustworthiness".
    This can be based on a trust metric for the owner (identity) of an
    identifier associated with the content, to distinguish (likely)
    good actors from bad actors.  The generic term for such information
    is "reputation".  This working group will develop mechanisms for
    reputation reporting by independent services.  One mechanism will be
    for a basic assessment of trustworthiness.  Another will provide a
    range of attribute/value data that is used as input to such an
    assessment.  Each service determines the attributes it reports.

    Various mechanisms have been developed for associating a verified
    identifier with email content, such as with SPF (RFC4408) and DKIM
    (RFC4871).  An existing reputation query mechanism is
    Vouch-by-Reference (RFC5518). It provides a simple Boolean
    response concerning a domain name used for email.  The current working
    group effort will expand upon this, to support additional
    applications -- such as Web pages and hosts -- and a wider range of
    reporting information.

    Given the recent adoption of domain name verification for email,
    by SPF and DKIM, the most obvious initial use case for reputation is
    for email.  Inbound email filters that perform message authentication
    can obtain a verified domain name and then consult a reputation 
service
    provider to make a determination (perhaps also based on other
    factors) of whether or not the content is desirable and take
    appropriate action with respect to delivery, routing or rejection.

    Another possible use case is identity-based evaluation of web
    content using technologies such as the DKIM-derived DOSETA
    (work in progress).

    This working group will produce specifications (targeting the
    standards track, though the working group will determine the
    appropriate status) for:

       * the detailed requirements for reporting

       * an end-to-end system architecture in which reporting occurs

       * the mechanisms and formats for reporting

    Two mechanisms are under consideration:

       * simple -- a reputation is expressed in a simple manner,
                   via records in the DNS
               (see draft-kucherawy-reputation-query-dns)

       * extended -- a response can contain more complex information
                 useful to an assessor, reported over HTTP using
                     an encoding such as XML or JSON
                 (see draft-kucherawy-reputation-query-http)

    The syntactic and semantic aspects of mechanisms and formats will be
    designed to be application-independent and portable (i.e., reputation
    provider-independent).  By distinguishing reporting information
    (format) from reporting mechanism (channel), the specifications
    will permit adaptation to support reporting through additional
    channels.  Limited application-specific tailoring will be
    provided for email, to demonstrate the approach, which can be
    applied for supporting additional applications.  The design and
    specification will also permit adaptation to support reporting
    through additional transport channels.

    Items that are specifically out of scope for this work:

       * Specific actions to be taken in response to a reputation reply.
         It is up to assessors (i.e., the consumers of reputation data)
         to determine this.  Non-normative illustrations, however, can
             be included to demonstrate possible uses of reputation data
         in a particular context.

       * Selection of what data might be valid as the subject of a
         reputation query.  It is up to reputation service providers and
         assessors to select which qualities of a body of data might
         be useful input to reputation evaluation.

       * Concerns about methods of verifying domain names that are used
         for email reputation.  A verified domain name is a starting point
         for this work; the means by which it was obtained and the
         "meaning" of the name or its verification are matters for
         discussion elsewhere.

       * Algorithms to be applied to aggregated feedback in order to
         compute reputations.  These are part of a back-end system, 
usually
         proprietary, and not appropriate for specification as part of
         a query/reply framework and protocol.

    The initial draft set:
        draft-kucherawy-reputation-model
        draft-kucherawy-reputation-media-type
        draft-kucherawy-reputation-query-http
        draft-kucherawy-reputation-query-dns
        draft-kucherawy-reputation-query-udp
        draft-kucherawy-reputation-vocab-identity

 Goals and Milestones:

   Mar 2012       Informational document, defining the problem space and solution 
                architecture, to the IESG for publication. 

   Mar 2012       Specification for the multi-attribute reporting data structure, 
                to the IESG for publication. 

   May 2012       Informational document, defining the vocabulary for providing 
                reputation in the email sphere, to the IESG for publication. 

   Jul 2012       Specification defining the simple query mechanism, to the IESG 
                for publication. 

   Jul 2012       Specification for the extended query mechanism, to the IESG for 
                publication. 

   Oct 2012       Informational document, discussing issues of data transparency, 
                redress, meta-reputation and other important operational 
                considerations, to the IESG for publication. 


 Internet-Drafts:

Posted Revised         I-D Title   <Filename>
------ ------- --------------------------------------------
Nov 2011 Jan 2012   <draft-ietf-repute-media-type-01.txt>
                A Media Type for Reputation Interchange 

Nov 2011 Jan 2012   <draft-ietf-repute-query-http-01.txt>
                Reputation Data Interchange using HTTP and XML 

Nov 2011 Jan 2012   <draft-ietf-repute-email-identifiers-02.txt>
                A Reputation Vocabulary for Email Identifiers 

Nov 2011 Nov 2011   <draft-ietf-repute-model-00.txt>
                A Model for Reputation Interchange 

 Request For Comments:

  None to date.