Point of order
======
May I humbly raise a point of order to the Chair concerning the projected output
of the MARID WG?
The WG is chartered to produce solutions which "confirm that peer MTA's actions
are authorized by specific domains or networks."
I also note the WG's intention to proceed to 'last call' on Sender-ID within a
few days.
Is it in order for the WG to proceed to last call with a solution which:
- addresses only half the problem space and
- increases the number of unauthorized, frequently virus-carrying, messages
on the Internet?
Chris Haynes
~~~~~~~~~~~~~~~~~~~-
Basis and explanation of the Point of Order:
======
Within the scope of SMTP there are two distinct message types: For brevity I'll
term them 'Original' and 'Bounce'.
With Sender-ID the WG has produced a method for Original messages to be
authorized.
The WG has not yet produced a method for Bounce messages to be authorized.
It has therefore not yet provided a solution for the second half of the problem
space.
Furthermore...
If the Sender-ID authorisation test fails (core-03, section 5.3) the receiving
MTA will return a '550' response to the client MTA, containing further
information about the rejection.
The client will, in most cases, generate and send a Bounce message containing
this rejection information, and it is common practice to include a copy of the
Original message within that Bounce.
Therefore, Sender-ID _requires_ MTAs of previous good repute to generate and
send Bounce messages which:
- Are themselves wholly unauthorised,
- Use information from an Original which is _known_ to be unauthorized,
- May be sent to a destination wholly unrelated to the sender of the Original,
- May contain malicious content copied from that Original unauthorized message.
In essence...
Sender-ID requires a peer MTA to perform the act of sending a message when it is
_known_ that no domain or network has authorized that action.
This is in clear conflict with the WG's own Charter.
~~~~~~~~~~~~~~~~~~~-
PR effect of the current proposal:
======
Just to illustrate the weakness of the current WG proposal, I postulate some
press headlines which, in my opinion, would be technologically accurate:
"<dominant vendor>'s anti-spam scheme backfires - leads to more virus-carrying
messages on Internet"
"IETF chooses <dominant vendor>'s patented, incomplete, flawed approach -
ignores proven solution offered by Open Source community, "
"<dominant vendor> makes another security blunder - and this time takes the IETF
with it!"
Maybe this last headline is not entirely accurate. I'm not sure that promoting
the (avoidable) propagation of viruses is strictly a 'security' issue, but that
would not stop the press using such an eye-catching 'angle'.
~~~~~~~~~~~~~~~~~~~--