On Mon, 7 Jun 2004, Julian Mehnle wrote:
I'm thinking about forking SPF into "The New SPF" and a non-XML "SPF1"
variant, i.e. keep The Old SPF going separately and independently from The
New SPF.
Who's with me?
I would like to see SPFv1 evolve to specialize in "before DATA"
authentication. And the new XML standard to specialize in "after DATA"
authentication.
Before DATA authentication would be killed by the weight and bloat of
XML - and it is absolutely not needed. The 'exists' mechanism
provides complete generality - any function the sender cares to compute
on the inputs available before DATA. The other mechanisms, like A and
MX, are optimizations that can be safely and efficiently executed on the
receivers MTA - but the same effect can be provided by 'exists'.
Since a major benefit of SPFv1 is authenticating before DATA without
a lot of resources, the XML business would render it largely useless.
After DATA authentication, on the other hand, will encompass a number of
cryptographic and reputation schemes, with varying PKI systems. The
flexibility of XML is needed for this application. An MTA validating headers,
message body, and cryptographic signatures of various types needs to be able to
reliably parse a tree of data, interpreting the systems it implements and
ignoring those it doesn't recognize. XML is ideally suited for this. Yes,
more bandwidth is required for the XML, but once you've commited to the DATA
phase of SMTP, gathering another few kilobytes of XML data is a reasonable
overhead. Yes, more code bloat and complexity is required for XML - but it is
comeasurate with the kinds of header and message body signing systems being
proposed for after DATA. As long as we keep the lightweight authentication
available before DATA, a lightweight MTA can reasonably chose to "pass" on the
heavyweight systems. Furthermore, the after DATA XML based systems are
reasonably implemented outside of the MTA, in a MUA, LDA, milter, or post
reception filter. (As opposed to SPFv1 which needs to be implemented in real
time during the SMTP transaction - either directly by the MTA or via
a milter or similar MTA extension.)
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.