I agree with Andy.
I thought we should have done this all along. The mail from and pra
mechanisms are merely means of interpreting and using the SPF data. The data
itself consists of no more and no less than a set of IP addresses
corresponding to approved outgoing edge servers which may or may not be
known (and specified) to be complete.
Phill
-----Original Message-----
From: David Woodhouse [mailto:dwmw2(_at_)infradead(_dot_)org]
Sent: Tuesday, September 14, 2004 6:25 PM
To: Andrew Newton
Cc: IETF MARID WG
Subject: Re: co-chair judgment of consensus related to last
call period
of 23-Aug-2004 to 10-Sept-2004
On Sat, 2004-09-11 at 13:59 -0400, Andrew Newton wrote:
The document authors have agreed to producing new drafts
intended to
meet the chartered work item, and a consensus call on them or the
appropriate diffs will be forthcoming. This work plan does
not include
scopes outside of "mail from" and "pra", and it is our
opinion that no
new work items of this type should be considered until MARID has
successfully produced a first specification.
I strongly disagree with this opinion. I believe that it does not make
sense to have multiple scopes, and certainly not to plan to add even
more scopes later. I shall explain my reasoning:
The 'mail from' and 'pra' scopes require significant changes
in current
practice, which would essentially require the entire Internet to
'upgrade' to conform.
Setting aside the deployment problems posed by this, let us
assume that
despite the fact that most of them haven't even discovered ESMTP yet,
the whole world _does_ actually manage to upgrade tomorrow; to perform
SRS and to add whatever we decide to use instead of the badly-chosen
'Resent-From:' header.
Once such an upgrade has occurred, the identities actually
_checked_ by
either scope would be modified automatically by mail servers
as the mail
is in transit -- each mail server could pick any arbitrary 'domain' to
put into those identities for checking, as long as the DNS records for
that 'domain' permit the IP address of the server in question.
The identity which is being checked at each hop would no longer be
directly related to the original sender of the mail, but merely serves
as a verified identifier for the entity which controls the mail server
in question, and can be used to determine a level of trust for that
server.
Therefore, the 'mail from' and 'pra' scopes should be
considered equal,
not as complementary forms of 'authentication'. Once the
whole world has
upgraded, each scope provides merely an arbitrary handle by which to
classify the mail host which is submitting a given mail.
That is why it does not make sense to offer multiple scopes. One would
suffice, and it should be one which does not suffer potential IPR
problems and which does not require such a worldwide
'upgrade'. The HELO
identifier checked against an IP address, or a signature on TLS
certificates, or perhaps the SUBMITTER SMTP extension, would
provide an
equally suitable identifier for the entity responsible for a
given mail
server, without any of the technical difficulties.
Therefore, the working group should abandon the 'mail from' and 'pra'
scopes and seek a _single_ scope which serves the purpose of
identifying
the entity responsible for a given mail server.
The problem of true authentication of senders is a separate one which
needs to be addressed by a true end-to-end method. To use a hop-by-hop
method based solely on IP addresses for such a task is inherently
insecure and is counter-productive due to the confusion it causes.
--
dwmw2