Re: SPF: Not just a clever idea
2004-06-07 01:30:24
I agree with you, Greg, that we should stand together, put our power
together to produce one good product. One good product that takes the
best from SPF and the best from Caller ID.
But one thing I don't understand: Why should we (everyone that is
progarming someting SPF or CID related) implement two ways of publishing
and parsing the records? Why couldn't we stand here together and take ONE?
Teddy
Greg Connor wrote:
Despite some negative comments about the technical details of the
merger, I have to say that overall I am quite pleased with the new
direction set by Meng, and my reasons for feeling pleased are for the
most part non-technical.
Because I think the technical aspects of the merged proposal have been
getting a lot of bandwidth and attention, I would like to dedicate some
time and energy to discussing the non-technical facets of SPF and my
feelings about the future.
SPF is not a new idea. SPF is based on an idea whose time has come:
specify outgoing mailers and use that info to permit only certain IPs to
use your domain name. It is not the first of its kind: SPF owes its
origin to RMX, DMP, and others (Vixie, Church, Danisch, Feyck, etc).
I think SPF stands the best chance of succeeding out of all of these,
but not because the idea is dramatically better. SPF owes its success
to the hard work of its community members, most notably Meng, but there
are plenty of others. The hard work has not been in thinking up clever
ideas... the hard work comes in talking to others, expressing our ideas
coherently, listening to others, understanding roadblocks, working
together to solve them, producing working code, testing, changing, etc.
So, for this reason I believe that SPF's strongest asset is not its
spec, but its people. The community of people that has sprung up around
SPF is a great cross-section of the email industry. Each of us has our
own concerns, constituents, agendas, etc., but we are all united in a
common cause: stop email forgery. For this cause we have donated our
ideas, time, energy, enthusiasm, and other resources.
My personal feeling is that ending forgery will take a long time, so we
had better get started, and get as many people on board as we can, as
soon as possible. To me, which particular interpretation/expression of
the idea we choose to get behind is not as important, but getting
rolling soon, and getting many allies early in the game are most
important. If we are all pulling the same direction, we can make a lot
of progress quickly, and a lot of things that used to be impossible now
become possible. If there are minor differences between two expressions
of the same idea, I believe it is much more powerful to pick one and go
with it, together, than to stick to an idea that we think is superior,
but turns a potential ally into a competitor.
Also, I believe that Microsoft is not the enemy. A lot of people have
strong feelings that Microsoft is evil. I don't. They are simply
another player, and they are a big one... they control servers
(exchange) MUAs (outlook) and one of the largest email services (hotmail).
It is a testament to our success that Microsoft approached Meng to talk
about convergence. Most of the time when Microsoft wants to master a
new technology, they just go out and do it. In this case, enough of
their customers and partners said "Hey, hang on, what about SPF?" that
they decided to take the time to talk to Meng to see if convergence was
even possible. Meng should be proud that we got to this point, and so
should we all be.
Still, we are not the only fish in the sea, and MS Caller ID is not a
slouch of a proposal either. If there were no convergence, or if the
deal is scuttled for whatever reason, SPF Classic can continue to go its
way and MS CID can continue to go a different way. Eventually one or
the other would probably win out, but this would mean dividing our
resources, competing for attention, etc.
In exchange for gaining a powerful ally, the New SPF shifts its
attention to 2822 headers instead of 2821 MAIL FROM. Many folks see
this as a step down, because we can't check the authorization before
the DATA phase -- at least not at first -- and the bounce address is
protected indirectly, not directly.
This difference -- 2821 MAIL FROM vs. 2822 From:/Sender: was a big
concern in the IETF MARID working group as well. MARID, true to IETF
form, is full of literally dozens of great ideas, some of which have a
chance of working and some which don't. But again, great ideas by
themselves don't solve problems... hard work solves problems. The MARID
camp was pretty much split due to disagreement about 2821 vs. 2822, much
the way SPF and MSCID were split a few weeks ago. An agreement with MS
allows us to present a consistent story to MARID, which I think is
crucial to getting an RFC drafted and approved.
Finally, being able to announce a convergence of the two proposals at
the INBOX email conference was a huge win. This will help us get the
message out there, and help us push through many barriers that would
have been impassable before now. There is a huge difference between
asking an ISP to do something because we think it's right and we hope it
won't break anything, and getting users pumped about it so that they ask
their ISP for it. (Same goes for corporate IT, forwarder, whatever)
So. Those are my reasons for supporting the New SPF. I hope that the
SPF support community will pull together under the common banner, which
is still "Stop email forgery". I hope that the technical differences
will give us some spirited debate, and then get resolved quickly so we
can all stand together again. We have built up a good head of steam and
have got people moving in the right direction. I would not like to see
people get lost in the details, or decide to throw themselves on the
tracks because it's not exactly the same expression of the idea they
originally had in mind.
Thanks for your time.
gregc
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
|
|