On Sat, 2004-09-11 at 13:59 -0400, Andrew Newton wrote:
The document authors have agreed to producing new drafts intended to
meet the chartered work item, and a consensus call on them or the
appropriate diffs will be forthcoming. This work plan does not include
scopes outside of "mail from" and "pra", and it is our opinion that no
new work items of this type should be considered until MARID has
successfully produced a first specification.
I strongly disagree with this opinion. I believe that it does not make
sense to have multiple scopes, and certainly not to plan to add even
more scopes later. I shall explain my reasoning:
The 'mail from' and 'pra' scopes require significant changes in current
practice, which would essentially require the entire Internet to
'upgrade' to conform.
Setting aside the deployment problems posed by this, let us assume that
despite the fact that most of them haven't even discovered ESMTP yet,
the whole world _does_ actually manage to upgrade tomorrow; to perform
SRS and to add whatever we decide to use instead of the badly-chosen
'Resent-From:' header.
Once such an upgrade has occurred, the identities actually _checked_ by
either scope would be modified automatically by mail servers as the mail
is in transit -- each mail server could pick any arbitrary 'domain' to
put into those identities for checking, as long as the DNS records for
that 'domain' permit the IP address of the server in question.
The identity which is being checked at each hop would no longer be
directly related to the original sender of the mail, but merely serves
as a verified identifier for the entity which controls the mail server
in question, and can be used to determine a level of trust for that
server.
Therefore, the 'mail from' and 'pra' scopes should be considered equal,
not as complementary forms of 'authentication'. Once the whole world has
upgraded, each scope provides merely an arbitrary handle by which to
classify the mail host which is submitting a given mail.
That is why it does not make sense to offer multiple scopes. One would
suffice, and it should be one which does not suffer potential IPR
problems and which does not require such a worldwide 'upgrade'. The HELO
identifier checked against an IP address, or a signature on TLS
certificates, or perhaps the SUBMITTER SMTP extension, would provide an
equally suitable identifier for the entity responsible for a given mail
server, without any of the technical difficulties.
Therefore, the working group should abandon the 'mail from' and 'pra'
scopes and seek a _single_ scope which serves the purpose of identifying
the entity responsible for a given mail server.
The problem of true authentication of senders is a separate one which
needs to be addressed by a true end-to-end method. To use a hop-by-hop
method based solely on IP addresses for such a task is inherently
insecure and is counter-productive due to the confusion it causes.
--
dwmw2