Draft: draft-ietf-sipping-spam-04 Reviewer: Vijay K. Gurbani Review Date: March 5th, 2007 Review Deadline: March 17th, 2007 Status: post WGLC Summary: Ready as Informational I do not have further comments on the draft, save a couple of clarifications below. I will leave it up to you whether or not to include them in -05 and beyond. * In S3.3, I wanted to suggest the use of tagged addresses as one possible solution to the "introduction problem" you posit in that section. More specifically, there are programs (see TDMA, http://tdma.net/index.html) that combine temporal addresses with the challenge-response mechanism to solve the introduction problem. The basic issue with the introduction problem is that I cannot put a contact on my white list who I have never met before. However, by combining temporal addresses and a challenge-response mechanism, I can do this as follows: I sent an email to my collegue who I have not conversed with in years, thus I am not on his white list. His MUA does not recognize my email address, so it sends me a challenge. This challenge requires me to send an email response to a temporal address related to my collegue's real email address. This temporary address expires in, say, 28 hours. If I successfully send a response to the temporary address, I am automatically added to the white list, and the program sends my quarantined email to my collegue. This is equivalent to the challenge-response used in web-based captchas, except that (a) here, it is not visual or auditory, and (b) occurs entirely in email; no web-page is accessed. So, what does this mean for the text in S3.3? You could leave it as is, which is fine with me. Or better yet, if you agree on what I write below, you could replace the *last* paragraph of S3.3 with the following: The introduction problem remains, however. In email, techniques like the Turing tests (see Section 3.8) have been employed for this purpose. Also, in email the introduction problem can be solved and managed to a great extent by automatic tools that use temporal addresses coupled with a challenge-response mechanism to maintain the white list. Whether or not the techniques that work with email will be applicable to SIP spam is yet to be determined. * Editorial nit: S3.8 - The last sentence of the first paragraph appears out of context. The bulk of the paragraph talks about Captchas, and then in the end, there is a sentence on visual and auditory Turing tests. I think it is better placed at the end of the first sentence, possibly in brackets. Something like this: In email, Turing tests are those solutions whereby the sender of the message is given some kind of puzzle or challenge, which only a human can answer (since Turing tests rely on visual and auditory puzzles, they sometimes cannot be solved by individuals with handicaps.)