It might be worth bringing back into the discussion that the standard
consists of 4 parts. The framework (core) and the SPF record definition
provides benefits for everyone and we should encourage their adoption by
the IETF. The PRA algorithm is one of many schemes that receivers might
choose to authenticate a sender. Receivers can decide what
authentication schemes work and are reasonable to license. The PRA
algorithm is specifically targeted at phishing. If Microsoft changes
the rules of the game for the PRA, receivers can and will move to a new
scheme. Yahoo's domainkeys attack the same problem with a solution that
is ultimately better but requires more effort to deploy. SenderID is a
good first step, it is the core and the record definitions that will out
live the individual authentication schemes that use them. If people
feel the core is too encumbered then we might need to restart with the
original work done by Meng and Mark. It would be unfortunate if we
can't use the current momentum.
At Ironport we support 5 out of the top 10 ISP and many of the F500.
These companies want additional layers of defense. We will support our
customers and implement some kind of receiver side authentication, based
on SPF records. SenderID is just a first step, Meng has proposed a
unified SPF where the PRA is just one of the authentication schemes in
the stack.
Getting the framework and the record type standardized should be the
focus of the working group. As both Philip Hallam-Baker and Yakov
Shafranovich have eloquently discussed, the larger philosophical issues
should be debate in a broader community forum.
Craig Taylor
VP, Technology
Ironport System