David MacQuigg wrote:
What I would most like to see here is a standard so simple and
non-controversial that it need not get all the way to final status
before people start following it. Putting it on the standards track
could do this.
The IETF tried this; it was called MARID (MTA Authorization Records In
DNS). The original charter was well focused and predicated on the
assumption that a simple and field-proven solution was close at hand.
But the effort failed, primarily because (IMHO) the problems of MTA
authentication and authorization proved difficult to isolate. The
"simple" solutions crossed more operational boundaries and reached
deeper into the infrastructure than their authors realized, causing
controversy among even their most ardent supporters. Solutions that
truly were simple were ignored for lacking in breadth of scope and "feel
good" impact.
In short, MARID failed because a simple, non-controversial, and
all-encompassing solution to Internet Mail Authentication does not seem
to exist.
Yet progress is being made. I'm going to be making field trials of
several promising technologies in the next week or two, notably Domain
Keys and BATV. They don't have big marketing budgets behind them, and
they aren't panaceas, but they do provide clean solutions to specific
parts of the problem and are simple to pilot.
I would also like to direct your attention to a marvelous paper by Brett
Watson of Macquarie University detailing all the work we have to do
*after* we have a working authentication system. Authentication is a
necessary first step to controlling spam, but by no means sufficient:
http://www.ceas.cc/papers-2004/140.pdf
<csg>