IETF May Form Working Group on “Reputation Services”

2 minute read

× This article was imported from this blog's previous content management system (WordPress), and may have errors in formatting and functionality. If you find these errors are a significant barrier to understanding the article, please let me know.

Last week I saw a post on the IETF Announcement List seeking feedback on the possible formation of a "Reputation Services" working group. That posting has more information, but the basic abstract is posted below. Now I will admit up front that I tend to see the world through librarian-colored glasses, but creating a mechanism that helps uses make a "meaningful choice about the handling of content requires an assessment of its safety or 'trustworthiness'" sounds like something librarians should be involved with.

In the open Internet, making a meaningful choice about the handling of content requires an assessment of its safety or "trustworthiness". This is based on a trust metric for the owner (identity) of an identifier associated with the content, to distinguish (likely) good actors from bad actors. The generic term for such information is "reputation". This working group will develop mechanisms for reputation reporting by independent services. One mechanism will be for a basic assessment of trustworthiness. Another will provide a range of attribute/value data that is used as input to such an assessment. Each service determines the attributes it reports.

Various mechanisms have been developed for associating a verified identifier with email content, such as with SPF (RFC4408) and DKIM (RFC4871). An existing reputation query mechanism is Vouch-by-Reference (RFC5518). It provides a simple Boolean response concerning a domain name used for email. The current working group effort will expand upon this, to support additional applications -- such as Web pages and hosts -- and a wider range of reporting information.

The announcement points to five IETF internet standard drafts, the first of which is an overarching document: A Model for Reputation Interchange. In that document there are these statements:

It could also be useful in rating the security of web sites, the quality of service of an Internet Service Provider (ISP) or Application Service Provider (ASP), the customer satisfaction levels at e-commerce sites, and even things unrelated to Internet protocols, such as rating plumbers, hotels, or books. Just as human beings traditionally rely on the recommendations of trusted parties in the physical world, so too they can be expected to make use of such reputation information in a variety of applications on the Internet.

What do other people think? Could libraries serve as independent rating bureaus for content? That seems to be possible in this sort of framework. The deadline for comments on whether the IETF should form a working group is October 4th, which is roughly 24 hours after I post this message. If the working group is formed, though, I wonder if libraries should play a part in the development of the standard. I haven't worked in the IETF process before, so I'd especially be interested in hearing the perspectives of any library technologists that work within the IETF.