On Sep 8, 2004, at 5:06 PM, wayne wrote:
Publishing SPF records with PRA information has never been a problem
for me (and I think for most others).
The problem is the PRA can not be implemented in most F/OSS MTAs and
spam filters.
Is this a double standard? You do not wish to be restricted by the
encumbrances of another's license yet you wish to restrict others to
the encumbrances of your software license.
I fail to see what crucial information is needed in the DNS record to implement
PRA that is also not needed by SPF check?
Thus I fail to see why the DNS record has to specify the algorithm that will be
used on the approved mail servers specified in the DNS? Do we think by
inserting "pra" or "spf" we will really control what all receivers do?
The main point is that the standard of what goes into the DNS record should not
be supporting a proprietary standard.
This compromise gives those unwilling to accept the license for PRA the
ability to check MAIL FROM while allowing those willing to accept the
license for PRA the ability to check the PRA. However, everybody can
publish both.
The compromise adds fuel to fire fragmented syntax for DNS records. In future,
I envision large corporate senders only specifying "pra", because they do not
have time to test with "spf", just as the situation we have now with many
writing web sites for IE and not for other browsers.
The PRA is an 2822 identity, which does not cover the
same problem space as the 2821.MAILFROM. The suggestion of using
2821.MAILFROM to get around the SenderID patent mess is like
suggesting using DES to get around the RSA patent mess. Yeah, they
vaguely cover the same general area, but really, they are quite
different.
Just because an identity appears in the same RFC does not mean it has
any better relationship for sender authentication. Certainly
2821.MAILFROM and 2822.From are more closely correlated than 2822.From
and 2822.Cc.
The only thing we are doing is specifying the approved mail servers.
Everything else is our attempt to pick a winning technology for interpreting
the data of approved mail servers.
If you could come up with a proposal that has broad consensus that
covers the 2822 identities, I could see letting both that proposal and
the PRA going forward. However, I don't see any such proposal.
The syntax does account for future scopes.
Inherently. No need to limit the scope, since you can not limit it. Once you
publish the data of approved mail servers, it is open game to use the data.
There will be many competing technologies and implementations, just as there
are now in anti-spam, unless possibly if we hand a "silver bullet" to a
monopoly to stifle that experimentation. I realize you do not want speculation
on the future, and only on the merits as of today. So I will state as fact
that no one can prove today that any of the methods for interpreting the
approved mail servers will be better than the other.
-Shelby Moore
http://AccuSpam.com