Given the cacophony of verbiage you guys are throwing up I am not replying
to individual emails point be point, instead I am following the repeated
directions of the chair and I am collecting my points into one post.
I am not going to use a different email client to post to this list, the
references field is NOT mandatory. And a RIM device is in any case not going
to support anything other than top posting. And in any case RFC 2822 is NOT
an IETF standard while RFC 822 is. I have a standards compliant email
client, folk who demand support for Draft standards will be ignored.
When I said I agreed with the position raised by Andy that is exactly what I
meant. And yes we are re-opening discussions that were previously closed.
That is a consequence of having train wreck.
I find it very difficult to see at this point any area in which the work in
the group has improved the specifications over the input documents. We seem
to have even less consensus and industry support than we started with.
People need to decide who they are working for. Are they trying to build
something that will benefit the wider community or are they only interested
in developing systems that benefit themseves? There is a reason I use
commercial Internet software rather than niche applications for techies, it
isn't for my benefit, it is because it is the only way I can understand
problems from the perspective of the average user.
-----Original Message-----
From: David Woodhouse [ mailto:dwmw2(_at_)infradead(_dot_)org
<mailto:dwmw2(_at_)infradead(_dot_)org> ]
Sent: Wednesday, September 15, 2004 3:59 AM
To: IETF MARID WG
Subject: Re: co-chair judgment of consensus related to last
call period
of 23-Aug-2004 to 10-Sept-2004
On Tue, 2004-09-14 at 20:35 -0500, wayne wrote:
[top quoting fixed, extra words deleted, and the Reference: header
restored. All due to brain-dead mail software.]
Thanks for fixing that; it's amazing how poorly people will behave in
public fora. Personally, I configure my mailing lists to
reject any mail
with 'Re:' in the Subject: header but neither References: nor
In-Reply-To: headers. Philip, you really ought to invest in some
non-broken mail software if you want to use it in public.
"Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> writes:
David Woodhouse [ mailto:dwmw2(_at_)infradead(_dot_)org
<mailto:dwmw2(_at_)infradead(_dot_)org> ] wrote:
I strongly disagree with this opinion. I believe that it
does not make
sense to have multiple scopes, and certainly not to plan
to add even
more scopes later. I shall explain my reasoning:
I agree with Andy.
No, apparently you agree with David Woodhouse. It is easy to get
confused when you don't use proper quoting.
I thought we should have done this all along.
Yes, I know. This was discussed long ago. The rough consensus was
against your opinion. I thought that while there should be multiple
scopes, we could have one record that covered them all. The rough
consensus was against my opinion.
Now, can we *PLEASE* stop re-raising old issues everything
someone new
comes into this working group?
Maybe I have indeed missed the discussion on this precise topic, but I
suspect you might both have missed my point -- and in either case I
apologise. Philip might be used to upside-down email and have thought
that my first paragraph was in fact my conclusion, but I didn't expect
that of you so it's probably my fault for not being concise enough in
the first place.
I was not saying that we should ditch either pra or mail-from
scope and
continue with only one or the two, which I know is an opinion
which has
been voiced before.
I was saying that we should ditch _both_ pra and mail-from scopes and
continue with something more appropriate.
The point was that the mail-from and pra scopes are _both_ only useful
for determining a trust level for a given mail server, by determining
whom it belongs to. The 'domain' we use becomes nothing more than an
arbitrary 'trust handle' which isn't even seen by most users
anyway, as
it's hidden in the Return-Path: or
Resent-From:^WForwarded-For: headers.
The mailfrom/pra scopes are not useful as end-to-end validation that a
given mail really did come from the person from whom it
claims to come.
A mailfrom/pra 'PASS' is neither necessary nor sufficient to make that
judgement reliably. There are both false positives and false negatives
if one were to inadvisedly use it for such a purpose.
Yet the very nature of the scopes makes it easy for the naïve user or
admin to believe that they can be used that way. Therefore, it is
actually counterproductive -- because it encourages a mistaken belief
that this provides real end-to-end authentication when it cannot.
My suggestion is that we should go forward with an entirely
_different_
scope, not just unify on either mail-from or whatever the unencumbered
pra replacement would be.
There are many possibilities which would offer us some 'handle' on the
owner of the mail server in question, without all the problems which
both mail-from and pra scopes suffer.
--
dwmw2