Re: Has the IETF dropped the ball?

At 09:34 PM 3/8/2005 -0800, Carl S. Gutekunst wrote:

> David MacQuigg wrote:
>
> > What I would most like to see here is a standard so simple and 
> > non-controversial that it need not get all the way to final status before 
> > people start following it.  Putting it on the standards track could do this.
> The IETF tried this; it was called MARID (MTA Authorization Records In 
> DNS). The original charter was well focused and predicated on the 
> assumption that a simple and field-proven solution was close at hand. But 
> the effort failed, primarily because (IMHO) the problems of MTA 
> authentication and authorization proved difficult to isolate. The "simple" 
> solutions crossed more operational boundaries and reached deeper into the 
> infrastructure than their authors realized, causing controversy among even 
> their most ardent supporters. Solutions that truly were simple were 
> ignored for lacking in breadth of scope and "feel good" impact.
> In short, MARID failed because a simple, non-controversial, and 
> all-encompassing solution to Internet Mail Authentication does not seem to 
> exist.
My understanding was that MARID broke up because of Microsoft's surprise 
disclosure of very broad patent claims threatening any method that uses IP 
authentication.
 http://podcast.resource.org/rf-rfc/index.html#item0003 - first hand 
account of the "MARID Fiasco"
 <http://www.taugh.com./weblog/patapp.html>http://www.taugh.com./weblog/patapp.html 
- John Levine's analysis of Microsoft's patent claims
Regardless, IETF should not have given up because the MARID group broke 
up.  Maybe they *were* trying to put too much into a unified proposal, or 
maybe there was deliberate disruption, I don't know, and it doesn't 
matter.  IETF should have continued, perhaps with a different group, 
focusing on what are the common elements of the different proposals.  Every 
IP authentication method needs to communicate the results of its 
authentication.  If the hard-line advocates can't agree on a simple format 
for an authentication header, then a neutral expert should propose the 
format.  I understand that expert advocates can make mind-boggling 
arguments, but that is where IETF needs to exercise its engineering 
judgement.  Give us a simple format that all sides can live with, even if 
none are happy with less than total victory for their side.
> Yet progress is being made. I'm going to be making field trials of several 
> promising technologies in the next week or two, notably Domain Keys and 
> BATV. They don't have big marketing budgets behind them, and they aren't 
> panaceas, but they do provide clean solutions to specific parts of the 
> problem and are simple to pilot.
There does not seem to be much discussion of progress.  The press is very 
negative, and the open-source group seems to have lost its 
direction.  Maybe I'm just not reading the right reports or newsgroups.
I know Microsoft is working full speed behind closed doors.  Maybe we 
should just wait for them to provide us a complete solution.  My worry is 
that there really will be some terrible technical problem, inserted by 
their legal department or whatever, or that the opposition from the open 
source community will be so strong that it takes years before we have a 
widely accepted de-facto standard.
The real issues aren't technical, but social engineering.  There is a great 
benefit for all at the end, but an immediate cost for the players that need 
to make the next move (ISPs, spam filter companies, and spam 
blocklists).  It looks to me like a logjam with the pressure building, 
ready for a nudge to break it loose.  IETF could provide that nudge with a 
simple standard focusing on just the items needed for 
inter-operability.  Give us a format for the authentication headers, so we 
can start implementing domain ratings in our spam filters.
> I would also like to direct your attention to a marvelous paper by Brett 
> Watson of Macquarie University detailing all the work we have to do 
> *after* we have a working authentication system. Authentication is a 
> necessary first step to controlling spam, but by no means sufficient:
>    http://www.ceas.cc/papers-2004/140.pdf
Excellent paper, but a little out of date.  Looks like maybe June 2004 from 
the discussion, but I can't tell for sure.  Anyway its great to see someone 
actually giving some serious thought to what the email world will look like 
assuming authentication works.  My own view is a bit more positive.  If 
spam was a publicly traded company, I would be shorting their stock. 
:>)  See my "Spam Scenarios" at 
http://www.ece.arizona.edu/~edatools/etc/  Give me an interesting 
challenge, some way you think spam will survive, and I will think of a 
response and add it to these scenarios.
-- Dave

*************************************************************     *
* David MacQuigg, PhD              * email:  dmq'at'gci-net.com   *  *
* IC Design Engineer               * phone:  USA 520-721-4583  *  *  *
* Analog Design Methodologies                                  *  *  *
*                                  * 9320 East Mikelyn Lane     * * *
* VRS Consulting, P.C.             * Tucson, Arizona 85710        *
*************************************************************     *