I looked at the DVP site, and it is functionally almost the same as SPF.
The difference is that instead of the recipient interpreting the SPF
record, a server provided by the sender does whatever it wants with the
same information used by SPF and returns the same results.
http://www.exploits.org/dvp/
The exists mechanism in SPF can provide identical functionality - but
requires running a custom DNS server. The TCP server specified by DVP is
much simpler to implement (the results include a TTL for caching - so even
that is identical to using exists with DNS). What about a "dvp:host"
mechanism which says "consult the DVP server over there"?
I would like to see the too proposals merged in this way - but the DVP
people seem to hate SPF because they see interpreting the SPF record as
executing general purpose code - and hence a security hole. SPF needs to
make the case that SPF interpretation is *not* turing complete, and has
bounded execution in time and space. The DVP people are particulary
concerned that macro expansion could cause buffer overflows and lead to
exploits (a concern that doesn't exist for SPF implemented with bounds
checking languages such as Python, Java, Pike, Perl, etc.). Even a C
version has only a small amount of non performance critical code needing
bounds checking.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.