ietf-mxcomp
[Top] [All Lists]

Re: IPR Disclosure for Sender-ID

2004-08-03 16:49:17


Le mardi 3 Août 2004 23:19, Douglas Otis a écrit :

These records could be something like:
"Marid_1 rf=*.big.isp.com, *.ads-r-us.com;"

About CSV, I have taken a quick look at the drafs (sorry, I haven't had
the time to read them thoroughly), and I have a question, and a remark :

- Question : SPF currently has the extremely useful and flexible "exists"
mechanism, that, combined with its built-in macro-expansion, allows for
designing very fine-grained and flexible exceptions to the general SPF
rule for a given domain, i.e. per user and subnet.

If using CSV, any exceptions would be per hostname.  As an alternative to
using the exists, which checks for yet another DNS record, simply set up
differing subdomains with different rules.  Although the same games are
possible when referring to a EHLO domain list, I am philosophically
opposed to expecting DNS queries to replace the domain's task of user
authentication.  DNS does not scale well enough to do this task
iteratively, nor can these records grow to the extent needed to allow this
range of exceptions.

Let's say big-company.com has an SPF record listing their main outgoing
mail servers, they can easily include supplementary records that would
list field-people posting from a given ISP server, or a local office
people using their own local SMTP server, etc.

They could also setup a subdomain that adds this new domain.

This can be most useful in a number of situations.

Does CSV have provisions for such a mechanism, or an equivalent ?

CSV identifies the channel.  This channel name can scale well if there is
a desire to restrict mail fields.  The manner these EHLO domains are
referenced allows a great deal of flexibility.  I would suggest a type of
wildcard would find the TXT record, and within the TXT record would be a
list of wildcarded names.

DNS allows exceptions to a wildcard. This would mean that if there is a
record for staff.big-bank.com, this record would be seen.  If there is no
record for staff but just a general record, then *.big-bank.com could
return this query.

Now for the remark : I am strongly opposing to the idea of would-become-
mandatory "accreditation services".

CSV does not require or mandate an accreditation service.  This was added
to allow for a large market of such services to help reduce the number of
services inspected if to discovery an affiliation.

I'm opposing to it both for philosophical reasons, and practical reasons.

First, "accreditation services" will turn into businesses, which will
translate into cost, which means that every domain that will want to send
mail out will have to support this new cost : having to pay a commercial
"accreditation" company to get listed there, if they want their mail to be
accepted.

CSV allows each MTA to maintain their own name database.  If it is a new
name, offer highly reduced bandwidth.  A simple scheme is used to control
the bandwidth for cable users as example.  This can regulate to any data
rate without changing the content of the packet, without dropping packets,
and requires only a very small amount of memory to achieve this.

This will introduce costs that many non-profit, personal or vany domains
will not be able to afford, and I oppose the idea that anybody should have
to pay a commercial company for being allowed to send mail.

If you do not use such a service, you still benefit.  BATV will help. 
There is nothing that requires anyone use an accreditation service.  It is
completely optional.

The advantage of current blacklist systems is that no one has to pay for
getting blacklisted ;-) and, if some blacklists are commercial, such as
MAPS, you need to pay to use and query them, not to be listed in them or
not...

What?  There is no relationship between a MAPS client and those that get
listed. There are several large ISPs that would testify to that!  The
millions of dollars spent servicing legal defenses (never going anywhere)
forced MAPS into a paid service.

Also, big companies that send large amounts of email will be well-know and
listed by most, if not all, accreditation services, where little domains,
small businesses and individuals that send a very small amout of mail will
mostly be "unknown" everywhere, and the acceptance of their mail might
suffer from this.

IMHO, one should be deemed innocent until proved guilty, and the
"accreditation services" system turn the things upside-down : One will be
presumed guilty unless listed as innocent. Bad, bad, bad.

The advantage of blacklists, on the opposite, is that, if ever you get
listed, there is probably a reason, and if you're not listed you're
presumed innocent. Much better.

Comments ?

There are companies that follow the whitelisting model.  As a matter to
reduce legal exposure, MAPS would like to change this to be a simple
statement of past behavior, good or bad.  The longer a domain exists
without problems, the better the domain will look.  The current DNA
proposal does not reflect where I would hope this to be going.  John has
stated he is open to changes.  This is an area that needs work.

-Doug