[Stuart D. Gathman]
I would like to see SPFv1 evolve to specialize in "before DATA"
authentication. And the new XML standard to specialize in
"after DATA" authentication.
...
After DATA authentication, on the other hand, will encompass
a number of cryptographic and reputation schemes, with
varying PKI systems. The flexibility of XML is needed for
this application.
This makes a lot of sense to me. Why not take a cue from the MPEG group
and call these different incarnations of SPF "layers", instead of
versions? That way people won't feel they are being left behind or
stepped on by the money and influence of Redmond.
The current SPFv1 can be "SPF LAYER 1", designed to handle the RFC2821
validation. The new SPF, "SPF LAYER 2", can then incorporate the RFC2822
validation that many people (including myself) believe is necessary. As
you mention XML allows for a lot of options here, and this is the
"layer" people would be free to ignore if they hate the idea of XML, or
have personal politics that preclude using anything that Microsoft ever
touched.
There could even be an "SPF LAYER 3" some day that does full per-user
crypto from MTA to MTA, or something like that. Or whatever other new
scheme somebody comes up with.
All of these "layers" can then evolve and exist somewhat on their own,
and yet still be part of the branded "SPF family" that is designed to
provide varying degrees of authentication to email. Reputation systems
will evolve for each layer. The marketplace can decide which layers
succeed and which ones fail.
What we have to do, then, is ensure the various SPF layers don't step on
each other, at least until a layer has been almost completely discarded
by the marketplace (like MPEG layer 1 audio).
The "SPF forum" governing body should not, of course, be as closed as
the MPEG forum, which sort of unilaterally announces it's standards
(some of which are patented and decidedly not royalty-free) every few
years.
Regards,
Ryan