ietf-mxcomp
[Top] [All Lists]

MARID charter and using 2822 data

2004-06-10 20:09:15



Yah know, I was poking around the MARID stuff and I re-read the
official MARID charter (see

      
In particular, I remembered this:

      [...]                                                   the
      first task of the working group will be to establish which of
      these identities should be associated with MTA
      authorization. Once this decision has been reached, it will
      limit the scope of further activity in this working group, and
      the chairs will rule out of order discussion related to schemes
      which use other identities as the basis of authorization.

I also thought that all decisions made in meetings must be confirmed
on the mailing list.


Now, earlier there was a decision made to go with the 2821
identities.  At the interim meeting, we suddenly changed to 2822
identities with a simple hum.  Is it really possible to violate the
written charter with a single hum, late on the final day and not have
this change confirmed on the mailing list?


I, for one, am becoming ever more queasy about using the Caller-ID
algorithm as our sole choice for RFC2822 verification.  The list of
headers being checked keeps growing, there has been *ZERO* published
data about how effective it is in the real world, and there are no
implementations available for people to check this with.

Jim Lyon said that the Caller-ID algorithm would work for something
like 95% of all mailers, but 5% is really a huge number.  Heck, I
can't even find this claim documented anywhere, so I can't be sure
that I remember it right, yet this is the only statistice that has
been said about the effectiveness of the Caller-ID algorithm.

Worse, the Caller-ID does not strictly validate the 2822 From: header,
which is the *only* header that is universally displayed.  Until such
time that most MUAs have been updated and deployed on desktops,
letting other headers be used makes this validation almost completely
useless.  The *only* thing a spammer/phisher will need to do if we use
the Caller-ID algorithm is to add a single, non-standard and
undocumented X-envelope-to: header to their message.


Yes, I know, everyone *wants* to verify the 2822 data.  It has been
almost universally agreed that it is important.  That doesn't mean it
is wise to jump at any proposal that claims to do so.  Especially when
it is completely untested, still being changed, and ineffective.


We are messing with some of the most important parts of the Internet
and we are hoping to get something without any critical flaws created
in the next month and a half.  Am I the only one who this this is
crazy?


-wayne