[Top] [All Lists]

Re: Has the IETF dropped the ball?

2005-03-08 22:33:40

David MacQuigg wrote:

What I would most like to see here is a standard so simple and non-controversial that it need not get all the way to final status before people start following it. Putting it on the standards track could do this.

The IETF tried this; it was called MARID (MTA Authorization Records In DNS). The original charter was well focused and predicated on the assumption that a simple and field-proven solution was close at hand. But the effort failed, primarily because (IMHO) the problems of MTA authentication and authorization proved difficult to isolate. The "simple" solutions crossed more operational boundaries and reached deeper into the infrastructure than their authors realized, causing controversy among even their most ardent supporters. Solutions that truly were simple were ignored for lacking in breadth of scope and "feel good" impact.

In short, MARID failed because a simple, non-controversial, and all-encompassing solution to Internet Mail Authentication does not seem to exist.

Yet progress is being made. I'm going to be making field trials of several promising technologies in the next week or two, notably Domain Keys and BATV. They don't have big marketing budgets behind them, and they aren't panaceas, but they do provide clean solutions to specific parts of the problem and are simple to pilot.

I would also like to direct your attention to a marvelous paper by Brett Watson of Macquarie University detailing all the work we have to do *after* we have a working authentication system. Authentication is a necessary first step to controlling spam, but by no means sufficient: