On Thu, May 27, 2004 at 05:06:47PM -0400, Meng Weng Wong wrote:
|
| Thu Jun 3 6:30-8:00pm -- SPF Deployment Timeline BOF
|
Many antispam vendors are already doing SPF checking on the receive
side; the result contributes to the spam score. I consider this an
encouraging sign, especially since the original SPF spec was only
frozen less than six months ago. Scoring is an early step. Using SPF
for whitelisting purposes (which is what AOL is doing) is another
early step.
But there is a three-way chicken-and-egg problem that needs to be
solved before the mainstream can confidently reject on SPF fails.
This is how I see the problem:
* Until a supermajority of forwarders comply with whatever workaround
hack is ultimately promulgated, be it SRS or DAVE or both,
** receivers will be reluctant to reject on "-all" because of the
risk of false positives due to forwarding.
** publishers will be reluctant to define "-all" because of the risk
of false positives due to forwarding.
* Until publishers default to "-all", and until receivers reject on
"-all", forwarders will feel no pressure to do SRS or DAVE.
To solve the chicken-and-egg problem, a forcing function has to arise.
I am hoping that this summer the email industry will spontaneously and
collectively agree on a timeline that tells forwarders and other
affected parties when they need to flip the switch. This may be as
early as Dec 2004, or as late as Dec 2005 (which was Big Bill's
original deadline announced at Davos :). The important thing is that
everbody gets enough notice to upgrade in time.
At the Inbox Event next week at the Marriott San Jose, on June 3rd,
from 6:30 to 8pm, there will be a BOF to kick off the above process of
schedule-making. This will be a working meeting. Industry segments
interested in helping to set the schedule are especially welcome to
participate.
http://www.inboxevent.com/
The BOF is open to all and attendance is free. I expect a number of
spammers to show up and try to derail the process, so expect an
eventful evening :)
On a strategic level, I want this industry collaboration to succeed
not for the sake of SPF alone. Eradicating spam is a task comparable
in scope to the smallpox eradication effort of the 1960s and 1970s.
While I believe that SPF is a necessary step, I do not believe it is
the last word. As a PGP user since 1992, I believe that the email
infrastructure of the 21st century ought to involve cryptography, and
approaches like DomainKeys are the logical next step once SPF is in
place.
I want to see industry collaboration on SPF succeed because that will
smooth the way for future collaboration on DomainKeys or other crypto.
Unfortunately, while it would be ideal to jump straight to crypto
without first passing through the stage of designated sender schemes,
I believe that the history of technological progress shows that there
can be no short cuts.
Therefore the BOF of June 3rd should be seen as a baby step, in which
a hypercompetitive industry learns to self-regulate in the absence of
an explicit government role. It may sound like a miracle, but other
industries have done it before. It's not too late to do the same.
If we get a good start at this meeting, we can keep working to refine
the schedule over the course of the summer. If we can get rough
consensus from industry by August we can announce rollout targets at
the time of the San Diego IETF.
If you plan to attend the BOF, please drop me an email so we can talk
further.