I still have a more general question. Both of the approaches below have value
and I personally like the idea of creating an MTA policy expression mechanism.
My question is whether this is in the scope of what this group is chartered to
do. I realize this has already been given some thought in the SPF and CID
proposals, but given the timelines for this group does it seem reasonable to
think that we could agree on a well thought out syntax for email policy
statements by next month?
[John Leslie wrote:]
Phill is thinking in terms of:
- IP address;
- whether they support SSL, S/MIME;
- accreditations;
- etc.
I am thinking in terms of what the servers are "authorized" to do:
- what policies does the domain manager have;
- how are these policies monitored;
- what level of trust does the domain manager suggest;
- what reputation services might we ask for a second opinion.
Both viewpoints have their value. Neither of us should dismiss the
other as misguided.
(2) is a consequence of (1) + (3)
This, alas, is hand-waving. There is no hope of our writing guidlines
for interpretation based on <the MARID record> and <the internet goop>;
since the "internet goop" is constantly changing.
We can DEFINE (1), we can DESCRIBE and to a very limited extent hope
to REFORM (3).
Indeed, we _must_ define <the MARID record(s)>. I am particularly
concerned that we define to fit a well-defined task. Since we are
chartered to document "authorization" of MTAs, I will spend a good
deal of effort to document what MTAs are authorized to do.
I see little point in describing the "internet goop" -- it changes
too fast. I do share Phill's hope to reform the "internet goop"; but
to whatever extent we succeed, describing it becomes even harder.
I do not see the identities question as being any part of (1). If you
state where the edge servers are the effect on identities is a
consequence of (3).
This is one way to look at it -- but it strikes me as an incredibly
_difficult_ way to look at it. To interpret the MARID records based
upon one's current understanding of "the internet goop" prevents those
who advertise MARID records from having a clear understanding of what
authorization they advertise.
It is pretty easy to define (1) in a formal sense as Bob and myself
have been doing. (3) is somewhat tricky, but if it could be done
we could arrive at a proof of whether (2) was correct or incorrect.
One could, OTOH, formally define the MARID records in such a way
that the interpretation of them _doesn't_ depend on what lies between
the authorized MTA and the receiving MTA; and let any divination be
performed later on a per-user basis. I prefer that strategy.
--
John Leslie <john(_at_)jlc(_dot_)net>