Sander Devrieze wrote:
Well, this is maybe also a good (complementary) system you are talking about:
create a JEP so that end users can add a question. When people not in their
roster send them a message, the message will be blocked until the sender has
answered the question right. This question can be localized by the user with
xml:lang, also his Jabber client might help him with questions. Example
questions:
Privacy lists (RFC 3921) enable me to allow messages only from people in
my roster, and to help fight spim more (all?) clients and servers need
to implement that functionality! (I should be able to specify the error
message that's returned to you when your message to me is blocked
because you're not in my roster -- at this point we have something like
a challenge-response system, and much as I know some people don't like
those, personally Active Spam Killer has made my email experience at
least bearable now.)
So then the key moment becomes this: when someone sends me a
subscription request. We know it is possible for some person (or bot) to
barrage me with multiple subscription requests, but my client should
block all but the first of those (in fact my server shouldn't send me
anything but the first one until I log in again, since the subscription
state hasn't changed at all). So now I am faced with a momentous
decision: should I add this "person" (could be a nasty bot) to my
roster? From what I've seen, most IM client's don't do a good job of
helping me make this decision. Several things would help:
1. Automatic vCard lookup (who *is* this person?)
2. Google the JID (perhaps it is on some nice person's blog etc.)
3. Enable me to exchange some messages with the person -- "who are
you?", "do I know you?", "do we know someone in common?", etc.
These are all pretty much social mechanisms that we use today, and in
general it's good to re-use those since they've been working fairly well
for thousands of years.
Other possibilities:
4. Look the JID up in key servers or other repositories
5. Look the JID up in some yet-to-be-defined reputation system
6. Ask people in my roster whether they know this person (could be
automated)
7. You ask someone whom we both know to send me a roster item exchange
message (JEP-0144) and that person vouches for your identity to some
extent (like an old-fashioned "letter of introduction")
8. You get someone whom we both know to sign your subscription request
with his key (not very different from #5)
I'm sure there are more mechanisms I haven't thought of.
Peter
--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml
_______________________________________________
jdev mailing list
jdev@jabber.org
http://mail.jabber.org/mailman/listinfo/jdev