On Mon, 7 Jun 2004, Jim Hill wrote:
In exchange for gaining a powerful ally, the New SPF shifts its attention
to 2822 headers instead of 2821 MAIL FROM.
Effectively making it useless for my purposes.
Hear hear. I have no objection to the new features being proposed
for 2822 headers and message body validation. But there is no need
to kill the very useful 2821 validation provided by SPFv1. There
are two RFCs for before and after DATA headers: 2821, and 2822. Why can't
we have two RFCs for before and after DATA authentication? SPFv1 for
2821 and SPFv2/CID for 2822.
Once again, the 2822 functionality is useful - but does not belong in
the MTA. The code bloat from the XML, the non-trivial cryptography, will be a
security nightmare. Fortunately, that functionality does not have to be
in the MTA. Since we already committed to DATA, the complete message has
already been transferred, and external tools can apply the 2822 check.
The external tools do not even have to be real time.
But however wonderful the new 2822 features, we *still* need a lightweight
authentication protocol that works before DATA, works in real time, and
has minimal code bloat. I *already* have tools that delete junk once
I've wasted bandwidth receiving it (content filters). Sure, the 2822
header features will improve junk detection, perhaps greatly improve it, but if
we don't block the lion's share of the junk before DATA, we are really no
better off.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.