[Standards-JIG] privacy2 anti-SPIM proto-JEP

Bart van Bragt jabber at vanbragt.com
Mon Aug 29 21:13:52 UTC 2005

Tomasz Sterna wrote:
> 2005/8/29, Bart van Bragt <jabber at vanbragt.com>:
>> About this challenge system; what if I have a very useful service of
>> XMPP that happens to be automated (i.e. a legitimate bot). Asking users
>> to manually add my bot to their privacy (white)list doesn't sound very
>> appealing to me.
> As soon as they message your bot for help (and add it to corespondents
> list) or add it to roster, they poke a hole in the spimfilter and
> allow messages from your bot. :-)
Which is why I said:
"Asking users to manually add my bot to their privacy (white)list 
doesn't sound very appealing to me."

I really don't like reducing the openness of XMPP. Weeding out 'bad' 
servers or 'bad' clients is fine with me, it's a must have even. But 
bothering your average user with hoops he/she has to jump through or 
letting them deal with unnecessarily complex authorization/subscription 
procedures is IMO not a good solution.

> Oh... If we begin the story of e2ee, web of trust or any other
> advanced technique again, we won't even design the protocol in this
> century.;-)
I'd rather have that then designing something quickly and ending up with 
a network that's a lot pleasant than it used to be. IMO we can sort of 
compare all this with the current terrorism hype. Everyone has to give 
up privacy and give the government more power so they can catch the bad 
guys (and make some collateral damage in the process). The laws and 
regulations that are currently created (pretty hastily in some cases) 
are laws and regulations that we'll have to live with for years and 
years to come.

> KISS is what I like most in Ian's proposal.
KISS is my favorite band too :P I like some part of his proposal, most 
of all I like that fact that the server is handling all the complicated 
stuff. I just love the 'simple server, complex server' paradigm. IMO 
Ian's proposal fits perfectly in Tijl's proposal. In Tijl's proposal a 
bot would still be able to contact a user without requiring the user to 
intervene (by manually adding it to a whitelist/roster) because it can 
have a certificate that the receiving server trusts or the bot can have 
a high 'web of trust' score. I like that.

Another thought that came to mind. memberbot at jabber.org contacts me, my 
server (vanbragt.com) knows jabber.org (they have been in kindergarten 
together) and asks if memberbot is a good net citizen. We have a 
protocol that makes it trivial to complain about SPIM from JIDs and 
jabber.org knows that there have been 0 complaints in the 41 months that 
memberbot has been registered with the 14.000 messages that the bot has 
sent so far. vanbragt.com is happy with this info and shows me the 
message from memberbot without further ado. Hmm, this would also fit in 
Tijl's proposal.

Tijl, I expect a nice JEP from you on my desk tomorrow morning :P


More information about the Standards mailing list