Re: "If you believe that the SPF concept is fundamentally flawed, please

Douglas Otis wrote:
> The following is a greeting when subscribing to spf-discuss:
> -------------------------------
> > [...]
> > ,---
> > | The SPF mailing list is intended for constructive discussion and
> > | promotion of SPF. If you believe that the SPF concept is
> > | fundamentally flawed, please subscribe instead to the ietf-mxcomp
> > | mailing list at http://www.imc.org/ietf-mxcomp/
> > '---
> > [...]
> -----------------------------------
>
> It would appear subscription to spf-discuss acknowledges acceptance of
> the SPF concept.
True.  Constructive criticism is welcome, but the SPF community is for the 
largest part convinced that the concept in itself is not fundamentally 
flawed, so any criticism that implies the contrary is not considered 
constructive.

We have had so many flamewars on spf-discuss in the past that it seriously 
disturbed any constructive work.  That made us, who were concinved of SPF 
and wanted to get some real work done, draw a line.

There are many forums where destructive criticism about SPF is welcome.  If 
you need one, you know where to find one.

> However, problems related to SPF have become even more 
> pronounced since dissolution of the MARID WG.  Sender-ID has usurped the
> initial SPF record for PRA evaluation, and is advising use of methods in
> conflict with bounce-address validation efforts.
Obviously, this is not an inherent problem of SPF, but a problem of the 
Sender-ID drafts.  We are currently working with the IETF to resolve this 
issue.

> The Sender Authentication Whitepaper, passed on to MAAWG from the FTC
> conference, has not undergone requested changes.  There are several
> assertions that remain misleading and in error.
>
> SPF _is_ fundamentally flawed as it removes accountability from the
> email providers, at the expense of the domain owners and consumers.
This is a highly subjective assessment, nothing more.

> Contrary to the promotions, SPF will not stop spam.
Who is promoting SPF as an anti-spam solution?  I'd really like to know.

> SPF will not prevent your domain from being forged, without great
> diligence by now anonymous email providers, as well as, universal
> compliance at each public MTA,
Absolute security requires absolute deployment.  Not even PGP is going to 
absolutely guarantee the authenticity of your messages if 95% of the world 
can't check your signatures due to lacking PGP support.

> and a slew of modification made to every email client.
Nonsense.  Show us why.

> I can not accept the premise there are no serious concerns related to
> publishing SPF records.  No scheme without a reputation assessment will
> prevent email abuse.
SPF is about establishing authenticity.  Reputation assessment is separate.

> Abusers are among the first to adopt changes offering greater access.
He who favors messages simply because they yield SPF "Pass" results has not 
understood SPF.

> Abusers may actually utilize your SPF records to usurp previously good
> reputations.
Only if you let them.

> What is worse, redemption of your reputation may not be practical.
So, are you saying that the concepts of accountability and reputation are 
fundamentally flawed?

Besides, did I mention reputation assignment and assessment is separate 
from SPF?

The rest I don't bother commenting on.  I advise people to make up their 
own minds instead of buying into FUD.

> Beware, SPF may bite!
Woof, indeed!

pgpiIqBszdjIX.pgp
Description: PGP signature