[Top] [All Lists]

Re: Has the IETF dropped the ball?

2005-03-09 01:30:14

At 09:34 PM 3/8/2005 -0800, Carl S. Gutekunst wrote:

David MacQuigg wrote:

What I would most like to see here is a standard so simple and non-controversial that it need not get all the way to final status before people start following it. Putting it on the standards track could do this.

The IETF tried this; it was called MARID (MTA Authorization Records In DNS). The original charter was well focused and predicated on the assumption that a simple and field-proven solution was close at hand. But the effort failed, primarily because (IMHO) the problems of MTA authentication and authorization proved difficult to isolate. The "simple" solutions crossed more operational boundaries and reached deeper into the infrastructure than their authors realized, causing controversy among even their most ardent supporters. Solutions that truly were simple were ignored for lacking in breadth of scope and "feel good" impact.

In short, MARID failed because a simple, non-controversial, and all-encompassing solution to Internet Mail Authentication does not seem to exist.

My understanding was that MARID broke up because of Microsoft's surprise disclosure of very broad patent claims threatening any method that uses IP authentication. - first hand account of the "MARID Fiasco" <> - John Levine's analysis of Microsoft's patent claims

Regardless, IETF should not have given up because the MARID group broke up. Maybe they *were* trying to put too much into a unified proposal, or maybe there was deliberate disruption, I don't know, and it doesn't matter. IETF should have continued, perhaps with a different group, focusing on what are the common elements of the different proposals. Every IP authentication method needs to communicate the results of its authentication. If the hard-line advocates can't agree on a simple format for an authentication header, then a neutral expert should propose the format. I understand that expert advocates can make mind-boggling arguments, but that is where IETF needs to exercise its engineering judgement. Give us a simple format that all sides can live with, even if none are happy with less than total victory for their side.

Yet progress is being made. I'm going to be making field trials of several promising technologies in the next week or two, notably Domain Keys and BATV. They don't have big marketing budgets behind them, and they aren't panaceas, but they do provide clean solutions to specific parts of the problem and are simple to pilot.

There does not seem to be much discussion of progress. The press is very negative, and the open-source group seems to have lost its direction. Maybe I'm just not reading the right reports or newsgroups.

I know Microsoft is working full speed behind closed doors. Maybe we should just wait for them to provide us a complete solution. My worry is that there really will be some terrible technical problem, inserted by their legal department or whatever, or that the opposition from the open source community will be so strong that it takes years before we have a widely accepted de-facto standard.

The real issues aren't technical, but social engineering. There is a great benefit for all at the end, but an immediate cost for the players that need to make the next move (ISPs, spam filter companies, and spam blocklists). It looks to me like a logjam with the pressure building, ready for a nudge to break it loose. IETF could provide that nudge with a simple standard focusing on just the items needed for inter-operability. Give us a format for the authentication headers, so we can start implementing domain ratings in our spam filters.

I would also like to direct your attention to a marvelous paper by Brett Watson of Macquarie University detailing all the work we have to do *after* we have a working authentication system. Authentication is a necessary first step to controlling spam, but by no means sufficient:

Excellent paper, but a little out of date. Looks like maybe June 2004 from the discussion, but I can't tell for sure. Anyway its great to see someone actually giving some serious thought to what the email world will look like assuming authentication works. My own view is a bit more positive. If spam was a publicly traded company, I would be shorting their stock. :>) See my "Spam Scenarios" at Give me an interesting challenge, some way you think spam will survive, and I will think of a response and add it to these scenarios.

-- Dave

*************************************************************     *
* David MacQuigg, PhD              * email:  dmq'at'   *  *
* IC Design Engineer               * phone:  USA 520-721-4583  *  *  *
* Analog Design Methodologies                                  *  *  *
*                                  * 9320 East Mikelyn Lane     * * *
* VRS Consulting, P.C.             * Tucson, Arizona 85710        *
*************************************************************     *