IETF had real problem is that it did not wish to deal with how their
protocols would be deployed. This is the main reason of failures of number
of protocols that have been created and why others are less used then
they could be. Certain conclusion must (and have) been drawn out of this
and it would be unfortunete if we choose to go the same road again.
IMHO, the largest deployment hurdle will be to get 63 million of domain owners
(growing at 1.5 million per month) to publish and maintain a DNS record. (See
my post at spf-discuss for source).
Presenting these non-technical people with the complexity of choosing which
scope their approved mail servers will be used and other complex options we
might provide them, seems to run counter to the 80/20 rule for deployment.
I simply do not see why we need scope in order to get people to publish which
mail servers they approve for sending email?
This is not unexpected conclusion either. However, I note that MAIL FROM
is different identity which is used entirely inside SMTP stream and not
usually seen by end-users. The problem here is not as much "phishing" as
it is a DoS that happens when your domain is used without your permission
and you get all the bounces.
Disagree. There are many possible ways verifiers might use the spf data and
specification. You can not preordain those uses unless you have a crystal ball.
This group should to solve both problems,
I do not think this group will solve "these problems". I think this group will
define a standard for publishing the approved mail servers and then let the
internet and marketplace work towards solving "these problems" and other
related problems (e.g. spam).
but we should not say that you
are going to be able to solve either one problem or the other depending
on if you're part of the open-source community or commercial product
developer willing to get a supposedely "free" license.
Agreed. And I think the most efficient way to reach that concensus and to not
inhibit the use of the standard, is to not try to specify the scope of the
algorithm (since it can be ignored any way).
But as I indicated above, I'm concerned that the IPR issue with SenderID/PRA
are still unresolved and if we standartize PRA as chair is suggesting, only
some be able to do this type of verification and on the other hand only
some would do mail-from checking, etc. This separatism is a dangerous road
to take for IETF work, we want to have one unified internet-wide standard
not a standard for you and standard for me!
Agreed.
I think we should decide on SenderID/PRA all by itself.
Agreed, but I would prefer to find a "win-win" common denominator approach.
Either we find
an acceptable solution that will allow everybody to implement it
Publishing the approved mail servers is something everybody can agree to do I
think?