SPF: Not just a clever idea
2004-06-07 01:07:01
Despite some negative comments about the technical details of the merger, I
have to say that overall I am quite pleased with the new direction set by
Meng, and my reasons for feeling pleased are for the most part
non-technical.
Because I think the technical aspects of the merged proposal have been
getting a lot of bandwidth and attention, I would like to dedicate some
time and energy to discussing the non-technical facets of SPF and my
feelings about the future.
SPF is not a new idea. SPF is based on an idea whose time has come:
specify outgoing mailers and use that info to permit only certain IPs to
use your domain name. It is not the first of its kind: SPF owes its origin
to RMX, DMP, and others (Vixie, Church, Danisch, Feyck, etc).
I think SPF stands the best chance of succeeding out of all of these, but
not because the idea is dramatically better. SPF owes its success to the
hard work of its community members, most notably Meng, but there are plenty
of others. The hard work has not been in thinking up clever ideas... the
hard work comes in talking to others, expressing our ideas coherently,
listening to others, understanding roadblocks, working together to solve
them, producing working code, testing, changing, etc.
So, for this reason I believe that SPF's strongest asset is not its spec,
but its people. The community of people that has sprung up around SPF is a
great cross-section of the email industry. Each of us has our own
concerns, constituents, agendas, etc., but we are all united in a common
cause: stop email forgery. For this cause we have donated our ideas, time,
energy, enthusiasm, and other resources.
My personal feeling is that ending forgery will take a long time, so we had
better get started, and get as many people on board as we can, as soon as
possible. To me, which particular interpretation/expression of the idea we
choose to get behind is not as important, but getting rolling soon, and
getting many allies early in the game are most important. If we are all
pulling the same direction, we can make a lot of progress quickly, and a
lot of things that used to be impossible now become possible. If there are
minor differences between two expressions of the same idea, I believe it is
much more powerful to pick one and go with it, together, than to stick to
an idea that we think is superior, but turns a potential ally into a
competitor.
Also, I believe that Microsoft is not the enemy. A lot of people have
strong feelings that Microsoft is evil. I don't. They are simply another
player, and they are a big one... they control servers (exchange) MUAs
(outlook) and one of the largest email services (hotmail).
It is a testament to our success that Microsoft approached Meng to talk
about convergence. Most of the time when Microsoft wants to master a new
technology, they just go out and do it. In this case, enough of their
customers and partners said "Hey, hang on, what about SPF?" that they
decided to take the time to talk to Meng to see if convergence was even
possible. Meng should be proud that we got to this point, and so should we
all be.
Still, we are not the only fish in the sea, and MS Caller ID is not a
slouch of a proposal either. If there were no convergence, or if the deal
is scuttled for whatever reason, SPF Classic can continue to go its way and
MS CID can continue to go a different way. Eventually one or the other
would probably win out, but this would mean dividing our resources,
competing for attention, etc.
In exchange for gaining a powerful ally, the New SPF shifts its attention
to 2822 headers instead of 2821 MAIL FROM. Many folks see this as a step
down, because we can't check the authorization before the DATA phase -- at
least not at first -- and the bounce address is protected indirectly, not
directly.
This difference -- 2821 MAIL FROM vs. 2822 From:/Sender: was a big concern
in the IETF MARID working group as well. MARID, true to IETF form, is full
of literally dozens of great ideas, some of which have a chance of working
and some which don't. But again, great ideas by themselves don't solve
problems... hard work solves problems. The MARID camp was pretty much
split due to disagreement about 2821 vs. 2822, much the way SPF and MSCID
were split a few weeks ago. An agreement with MS allows us to present a
consistent story to MARID, which I think is crucial to getting an RFC
drafted and approved.
Finally, being able to announce a convergence of the two proposals at the
INBOX email conference was a huge win. This will help us get the message
out there, and help us push through many barriers that would have been
impassable before now. There is a huge difference between asking an ISP to
do something because we think it's right and we hope it won't break
anything, and getting users pumped about it so that they ask their ISP for
it. (Same goes for corporate IT, forwarder, whatever)
So. Those are my reasons for supporting the New SPF. I hope that the SPF
support community will pull together under the common banner, which is
still "Stop email forgery". I hope that the technical differences will
give us some spirited debate, and then get resolved quickly so we can all
stand together again. We have built up a good head of steam and have got
people moving in the right direction. I would not like to see people get
lost in the details, or decide to throw themselves on the tracks because
it's not exactly the same expression of the idea they originally had in
mind.
Thanks for your time.
gregc
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- SPF: Not just a clever idea,
Greg Connor <=
|
|
|