Mark Lentczner wrote:
There has been quite a bit of discussion here about either removing
scopes or allowing some sort of universal or wildcard scope.
I'd like to clarify the terminology a little, just to make sure we are
talking about the same thing:
- universal/mandatory scope: A scope which is mandatory, universally
understood, and required for MARID compliant implementation. Basically, a
foundation scope which all domains must publish and MTAs must evaluate under
MARID.
- wildcard scopes/no scopes: A way of saying the MARID record applies to all
MARID scopes. (your made up example: "spf2.0/* +mx +a -all")
From the rest of your message, I am guessing that you are against wildcard
scopes, but not universal scopes?
If so, I would agree: I am against wildcard scopes. I would also say that
I'm for at least one universal/mandatory scope.
-----Original Message-----
From: owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Mark
Lentczner
Sent: Friday, September 10, 2004 03:54 PM
To: IETF MARID WG
Subject: Re: clarification on consensus call for compromise
There has been quite a bit of discussion here about either removing
scopes or allowing some sort of universal or wildcard scope.
I would not support such a concept because it lessens the strength of
what a domain is saying by publishing records. In particular, if a
domain were to publish (making up a syntax...):
example.com. IN A SPF2 "spf2.0/* +mx +a -all"
We have to wonder what this record says. It authorizes a set of hosts
to use the domain "example.com" as part of which identities in mail?
All of them? Including identities that we haven't named a scope for
yet?
I certainly wouldn't publish such a record for my domain, as I don't
know what I'm making such an assertion about. While I might be willing
to believe that the "+mx" and "+a" directives are going to be
reasonable for any such identity (after all, the reference machines I
presumably have control of), I can't make such a statement about
"-all". I don't know that there might be some notion of identity, as
yet undefined, for which I'd need to include other hosts.
While other site owners might be willing to take such risks and publish
such records, the ability to do so lesses the effectiveness for the
whole scheme. If domains are able to make claims like "We didn't know
about that identity check when we published "spf2.0/*" - you can't ding
our reputation based on that check." or " - you can't reject mail that
doesn't pass", it means that the whole scheme is diminished.
In short, when we say "domains authorized the use of identity X by
publishing an SPF record" we do so because we are going to hold them
accountable if the authorization passes, and reject if it fails. And
for those actions to have any force, the declaration of authorization
has to be incontestable.
- Mark
Mark Lentczner
http://www.ozonehouse.com/mark/
markl(_at_)glyphic(_dot_)com