Re: Report on the Email Authentication Summit2005-07-21 11:18:02Thanks for the report. ----- Original Message ----- From: "wayne" <wayne(_at_)schlitt(_dot_)net> Newsgroups: spf.-.sender.policy.framework.discussion To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com> Sent: Thursday, July 21, 2005 1:16 PM Subject: [spf-discuss] Report on the Email Authentication Summit Hi everyone! Yes, the Email Authentication Summit ended a week ago. Yes, I should have sent a report much earlier. No, I don't have a good excuse, other than mismanaged priorities. So, better late than never, here is my report: The Email Authentication Summit was held in New York City on July 12th. It was a huge success. Originally, they had hoped to get 50 people and scheduled a half-day affair. When they received 100 registrations, they switched it to a full-day schedule. They eventually had to shut off registrations and turn people away. I was told that the official number of attendees was 475, but my estimate based on the number of chairs used was higher. I talked with as many people as I could, and there was obviously a lot of interest in getting email authentication systems deployed. Deployed now. Deployed now, even though it is well understood that it would involve a lot of work. It is my understanding that Microsoft actually paid for a large chunk of this summit, but they tried hard to make it an open "industry" conference. I think they were *very* even-handed with their presentations of both SPF (mfrom) and SenderID (pra). There was also a lot of support for doing both DKIM (the Yahoo! DomainKey's and Cisco's IIM merger) and SenderID. Just this moring, the Email Auth people have put up the presentations and webcasts of all the sessions. See: http://emailauthentication.org/summit2005/ One of the funnest things about the conference was meeting in person so many people I have only known by their posts. I got to meet George Schlossnagle, Criag Spiezle, Phillip Hallam-Baker, Harry Katz, Meng, Larry Seltzer, Doug Otis, Jim Fenton and a whole bunch of others. There were a bunch of others that I wanted talk with (or talk with more), but there just wasn't that much free time. :-< The whole conference was moderated by Esther Dyson and I think, she did a very good job of running the show. I had forgotten that she used to be the chair of ICANN before it became pure evil. Esther did a good job of tossing out softball questions, like asking Craig Spiezle (Director, Technology Care & Safety Team, Microsoft) things like "there has been a lot of controversy about the SenderID license, but it really isn't a problem, is it?" The actual presentations and sessions really didn't contain a lot of information that most people here don't already know, but everything was well done and it was good to see a lot of interest from so many people/companies outside the core people trying to make email auth happen. It isn't just "us" who care. There were lots of vendors around to help people solve their email auth problems. While just about everyone said they were supporting either "SenderID" or "SPF", it was really not very clear to me whether they actually meant the "PRA" when they said "SenderID". If I had time, I would have asked them about it. It was also nice to see that the DMA and ACT booths were empty almost all of the time. ;-) John Tafoya of Hotmail made a presentation on how Hotmail is showing the PRA checks. During the development, their user feedback sessions told them that showing when emails *passed* the SenderID check caused confusion, so they only emails that *fail* show up with a warning. During the question and answer session, someone rightfully pointed out that this was useless and bad. It allows phishers to put in a Resent-Sender: header that will pass, and the Hotmail users will still see the "From: support(_at_)paypal(_dot_)com" line. I don't recall John Tafoya having a good answer to that. In somewhat related news, I've heard that Hotmail is "only checking the top 1 million domains for SPF records", and from another source that "Hotmail creates a cache of the results of the combination of the SPF records/connecting IP address, and that this cache has finite size." So, that explains why after a couple of months of logging, I have yet to see a single PRA lookup for my domain. Not only don't I send enough email, but my "tracking exists:" mechanism prevents caching. I talked with someone from GoDaddy who was horrified to learn that their SPF wizard doesn't work and agreed that probably what has happened is that the bug reports just aren't reaching the right people. My bug report (post here previously) was sent off to the right person (I hope) in GoDaddy, so maybe things will be fixed soon. I also had very good conversations with both Craig Spiezle and Harry Katz of Microsoft. I got the impression that both of them thought I was just a foaming-at-the-mouth anti-MS person who's only objection to the PRA is because MS likes it. It appeared that they felt that talking with me, and most others in the SPF community, would just generate anti-MS rants and thus be worthless. When I had a chance to explain that my objections to the PRA, and the re-use of SPFv1 records are for *technical* reasons, they became much more willing to talk with me. I wasn't able to change any minds, but we had good discussions and I think that they will be much more willing to talk in the future. On the issue of re-use of SPFv1, I did have a good discussion with Harry. Harry explained that they are really dealing with Email Authentication as an 80/20 rule. They want to tackle the 80 percent of the phishing/spam that they can right now, and after they deal with that, they will look at the other 20 percent. They have not seen any significant cases where the re-use fails, and by "significant", they mean enough to prevent them for tackling the 80% that they want to work on right now. Harry's response to most objections is that the domain owners can just opt-out by publishing spf2.0 records if they don't like the re-use. The cases of mailing not adding Sender: headers (around 20%, IIRC from the research done during MARID) are "not significant". Things like SES breaking are not important and domains that use SES can simply opt-out. Harry did say that he recently heard objections from people who outsource their email to ESPs, where the ESPs handle the bounces, but don't add the appropriate headers. This works with SPFv1, but breaks with the re-use. Both Meng and I immediately respond that this was the "Margaret Olson objection" as discussed during MARID, but Harry seemed to think that Margaret thought that the reuse was fine. Anyway, I could not come up with any cases of re-use that were "significant", by Harry's definition of "significant". I pressed Harry on why not just use the mfrom identity instead of the PRA. His response was that the 2821.MAILFROM is not seen by users. I pointed out that neither is the PRA and that problem had been pointed out earlier in the day during the Hotmail presentation. That you *had* to display the verified identity and that if you are going to display something, you can just as easily display the domain name of the mfrom. Harry didn't have a good answer to that. So, I guess Harry and I are kind of stalemated. I could not convince him that the re-use was bad enough to be of a concern to MS, and he could not convince me that the PRA had any value above what the mfrom already gives. Another area of concern that I have is that it appears that MS may well be succeeding in convincing the world that "SenderID is an updated replacement for SPF" and that people only need to think in terms of SenderID. I do google news searches ever day for SPF and SenderID. It used to be that almost all news stories that referenced SenderID also referenced SPF, but in the last few weeks that has changed and now most at least half of the stores only mention SenderID, and few stories mention SPF without also mentioning SenderID. -wayne ------- Sender Policy Framework: http://spf.pobox.com/ Archives at http://archives.listbox.com/spf-discuss/current/ To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
|
|