David Jonsson wrote:
The problem with email path verification is how to start it up. I
suggest the following.
First there is the buildup stage. All mails arriving whose path is not
verified are marked as unauthorised to the recipient and a copy of the
mail is sent back to the sender and the senders postmaster to inform
them that their address has been used in an unverified way. In that way
the sender becomes informed if their address is being misused or that
their servers lack mail path verification. Together with the returned
email is sent information on how to find information to arrange email
path verification in DNS and sendmail (and other MTA's). The return
email also contains information about from which date unverified emails
are going to be rejected.
This buildup stage runs for some months (a predefined period) until all
Internet has been aware of the problem and the solution and reasonable
time has been offered for organizations to implement solutions. After
the buildup stage comes a deadline where all unverified emails are
rejected.
From the techical considerations document
(http://www.ietf.org/internet-drafts/draft-crocker-spam-techconsider-02.txt):
---------snip---------
A key construct to examination of adoption and benefit is
"core-vs-edge". Generally, adoption at the edge of a system is easier
and quicker than adoption in the core. If a mechanism affects the core
(infrastructure) then it usually must be adopted by most or all of the
infrastructure before it provides meaningful utility. In something the
scale of the Internet, it can take decades to reach that level of
adoption, if it ever does.
Remember that the Internet comprises a massive number of independent
administrations, each with their own politics and funding. What is
important and feasible to one might be neither to another. If the latter
administration is in the handling path for a message, then it will
not have implemented the necessary control mechanism. Worse, it well
might not be possible to change this. For example a proposal that
requires a brand new mail service is not likely to gain much traction.
By contrast, some "edge" mechanisms provide utility to the first one,
two or three adopters who interact with each other. No one else is
needed for the adopters to gain some benefit. Each additional adopter
makes the total system incrementally more useful. For example a filter
can be useful to the first recipient to adopt it. A consent mechanism
can be useful to the first two or three adopters, depending upon the
design of the mechanism.
--------snip----------
This is why the ASRG was chartered to look at consent speficially since
this is something that works on the "edge" of the network. Now regarding
specific verification methods, take a look at this presentation:
http://www.elan.net/~william/asrg-emailpathverification-presentation.pdf
As far as I can see the deployment of this solution can be managed by
the Internet society. If this proves impossible I say we must turn to
Koffi Annan, George Bush, Göran Persson or someone else within politics.
The IRTF/IETF does not enforce standards, just researches them and
defines them. There are several foundational documents currently being
discussed and any help with them would help.
Yakov
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg