On 6/10/05 5:06 PM, Matthew Elvey sent forth electrons to convey:
On 6/9/05 11:21 AM, David MacQuigg sent forth electrons to convey:
Matthew, I appreciate your response. I didn't think anyone on this
list was interested.
At 09:21 AM 6/9/2005 -0700, Matthew Elvey wrote:
...
Given 3 options:
1. Do CSV and this neutral syntax.
2. Do this neutral syntax, but not CSV
3. Do CSV, but not this neutral syntax. (If CSV doesn't yield any
actionable information, proceed with other Identity establishing
shemes: Check for valid Domain Keys, then useful SPF records,
etc.)
Given N methods, there are 2**N options for which methods a sender
may install.
So?
I see no reason not to go with 3. (Other than politics - i.e. I see
no technical reason...)
DNS hunting. If you don't know what I mean by that term, read the
introduction to the draft.
I told you, I already read the draft, at least the one that was posted
at the time. I found the following quote on your site:
"The large number of authentication records [of CSV] might make this
method vulnerable to a DoS attack."
This statement is unsubstantiated. Because far fewer domains need to
have ANY records in the CSV scheme, this may mean that CSV requires
fewer DNS records than, say SPF. Said differently: Ok, with SPF or
QR, one DNS record can authorize all the servers for an entire
domain. With CSV, one DNS record can a server for many domains. E.g.
a webhost that hosts 1 million domains, and runs 10 SMTP servers to
service those million domains. That's a million or so SPF records,
vs. 10 or so CSV records.
There is often no 'hunting', because CSV will often provide actionable
information. A receiver will therefore often NOT try all possible
methods.
I think we just need to agree to disagree. Your scheme doesn't
require network traffic, but it does require SMTP server software be
upgraded.
Unlike SPF or SID it doesen't have severe negative consequences that I
can see. Because your scheme doesn't require ANY network traffic, I
can see why option 1 above is reasonable.
I noticed that you didn't respond to this at all, but rather snipped it,
saying:
< snip discussion of DoS attacks. This is an issue separate from DNS
hunting.>
It ties in. In any case, I'd still like a response; I think this is
misinformation about CSV that you're publishing. Please reply.
Just to be clear: there is no hunting IF CSV provides actionable
information (e.g. information that triggers administrator-defined rules
stating that the message is safe to accept or refuse without further
study), just like there is no hunting if the connecting IP is in a
whitelist or blacklist that the administrator fully trusts/assumes is
always accurate (as opposed to ones used as part of a scoring system).