In <p06020404bc73b4a485bb(_at_)[129(_dot_)46(_dot_)227(_dot_)161]> Ted Hardie
<hardie(_at_)qualcomm(_dot_)com> writes:
I'm currently working on a charter, based on the BoF; the charter
is focused on a single deliverable: Develop an MTA authorization DNS
resource record
to signal to peer MTAs that an MTA is authorized to send mail.
I may be reading more than I should into what Ted has said here, but I
am concerned about this.
First, I don't think there is going to be a "single deliverable".
There are several identities that need to be authenticated and/or
authorized. These different identities have different properties and
need different methods to solve the problem.
I think it is likely that there will need to be completely separate
proposals for:
1) The "is this IP address authorized to be an MTA?" question.
(e.g., MTA-Mark, SS, DUL lists, etc.)
2) The "is this IP address authorized to use a given domain name in
the MAIL FROM (and HELO) address?" (e.g. RMX, SPF, DMP, etc.)
3) The "is this From: header from who it claims to be from?" (GPG,
S/MIME, DomainKeys, Caller-ID, etc.)
There may well be more related problems to solve, and some of these
may be subdivided.
Is there going to be a more detailed description of what is going to
be done here?
In particular, I think a list of "requirements"/"should haves"/"it
would be nice ifs" can be fairly quickly drawn up for each of those
three areas. Doing so would likely make the process go much faster.
*Don't Wait* for a charter, though; please continue to work on the
ideas that were discussed.
I understand this, but it somewhat bothers me that it appears that we
will be going back to square one and ignoring the discussions that
have taken place elsewhere, and what has been learned by actual
deployment of actual systems.
If you are planning to open everything up again for discussion, expect
things to take a very long time to come to a rough consensus.
One of the comments that Ted made at the opening to the BOF was
something along the lines of "can the IETF put together something
useful in a timeframe that is needed?" I think this is a *very*
important point. The IETF is coming into this very late and runs the
risk of producing an irrelevant document if it moves too slowly.
Both Yahoo and MicroSoft are already well along on their
*development* and *testing* tracks for their proposals and they are
large enough to make an impact on the email world all by themselves.
SPF is rapidly approaching 10,000 published domains on their adoption
roll and there are probably 100,000-500,000 domains that have SPF
records. (Most of these are parked domains, but that still means that
SPF is blocking spam claiming to be from these bogus domains.)
I'd say the broad question is "What are the semantics that this record
needs to convey" and the first key question is "What *identity* is it
that needs to be authorized".
To be honest, I think those questions are well answered in the LMAP
document. While I could see a review of the contents of the LMAP
document for people who aren't as familiar with the subject, I think
this review should be brief.
-wayne