Thursday, May 27, 2004, 2:34:28 PM, meng wrote:
MWW> On Wed, May 26, 2004 at 08:56:07PM -0400, Theo Schlossnagle wrote:
MWW> |
MWW> | I'm ending this thread, on my part at least. My goal was not to win a
MWW> | fight it was to make a good argument. I believe I've done that for at
MWW> | least a few spectators -- hopefully some people that didn't think CBV
MWW> | was irresponsible already.
MWW> Well, thanks for the thread. It certainly broadened my mind and maybe
MWW> we'll turn off CBVs if SPF tests pass or fail definitively, or
MWW> something like that. Also we do try to cache the CBV as best we can.
MWW> SPF makes a lot of other things unnecessary, so we're having to build
MWW> more complex logic where if the SPF test passes we do certain things,
MWW> and if the SPF test fails we do other things, and if there's no data
MWW> we do a third set.
I hope your mystery "third set" doesn't involve innocent customers of
CBV-using ISPs to find their mails or subsequent replies hitting
/dev/null !!
My main objection to domainkeys is that it screws* everyone who might
provide value-added mail services just to authenticate the sender, and
my main objection to SPF/CID is that it doesn't authenticate the
sender - so I think it would be a very good idea to add anything into
SPF/CID to authenticate that the stated sender actually sent the
message: be this via a callback to the sender's ISP's mail system, or
something passed UDP to the sender's DNS, or cryptography, I don't
care: so long as it provides whatever "domainkeys" is looking for. If
we can do this properly, we can hopefully get rid of domainkeys
completely, which will solve a load of additional problems for us all.
Is anyone consulting with Yahoo about this? Surely with MS onboard
the 3 of you could sit around a table and hammer out a single solution
for us all to adopt ?
*"screws" = blocks us from forwarding or altering anything on behalf
of senders (in its current spec anyhow)