From: Mark Lentczner
Sent: August 5, 2004 9:09 PM
Re: change of version string
"On Aug 5, 2004, at 3:55 PM, John Glube wrote:
You indicated in response to a question from Frank that
the marid protocol will be set up to allow for checks
involving either SMTP mail from or PRA.
I wasn't clear. The MARID Working Group is proceeding with
a set of drafts that only define checking the PRA. The
group (as a whole) has never advanced drafts checking MAIL
FROM. My examples were just showing that the change in
version string allows one to continue to check MAIL FROM
using "v=spf1" records. The MARID drafts will not mention
"v=spf1" at all, nor checking MAIL FROM."
I appreciate the clarification on this point.
"> I thought EHELO was included in previous versions. Why
has > this been dropped? There has been some group motion
toward a set of drafts that check HELO/EHLO. These drafts
are called CSV and have no relation to the original SPF
work or the current Sender ID work. In particular, they do
not use the same record format for publishing a domains
authorizations.
I understand this point. My question involved the concept
of a unified theory, which you responded to below.
"> Is there any intent, consideration or thought being
given to adding, "want to test for ehelo go here, want to
test for sender from go here, do you like unified,
consider this?
If this is the where you think the world should be, then
you shouldn't be pushing for ANY draft to come out of the
working group. The normal IETF practice would have been
to: Wait until several methods of interest have been
implemented and deployed for a year or more. Let domains
learn about them. Let them decided what to implement and
publish. Wait some more time and gather real data on both
public interest and operational impact. THEN form a
working group to pick only that which really works and
hammer it all down into a spec.
In other words, if you think we should be just letting
everyone try anything they'd like, then we don't need an
IETF spec for that. Just develop ideas, write code,
disseminate, evangelize, win hearts, minds and hosts.
However, many people felt that spam had reached such a
critical state, and that something like SPF was such a
clear win if we could promote quick adoption. Getting it
approved as an IETF spec could help do that, and so the
working group was convened with the specific charter to
hammer it all out very quickly, without the normal
multi-year lets see how they all work processes."
I clearly understand why we are here today. I also fully
appreciate the need for action and why the IETF constituted
a WG to deal with this issue on an expedited basis.
Perhaps I did not make myself clear. My point had to with
the unified theory which you mention below. I felt if
structured properly this would have established an overall
standard on the sender side, while allowing the market to
sort things out on the receiving side.
"> I ask because some service providers are going to want
to > run checks using SPF, Sender ID, CSV and when ready >
DomainKeys.
There is nothing stopping those checks from being performed
concurrently. Nor anything stopping a domain from
participating in all four schemes. However, the working
group as a whole did not show any serious interest in a
"unified" approach, such as put forth by Meng and I. It
isn't clear to the group as a whole that the "correct"
solution involves all four schemes and "pick and choose"
approach for publishers and checkers. Advancing the
"unified" approach essentially enshrines such a path as
standard practice."
Okay, so what you are saying is that the unified approach
is dead in the water. This is what I have been driving
towards and why I asked my follow up questions.
I felt with the removal of PRA from core there might be
room for this approach to regain some life.
As noted above, in essence, what I was suggesting was
senders would publish a record compliant with all 4 schemes
and receivers could pick and choose.
To me this made the most logical sense, while allowing for
market determination.
However, I gather from my own inquiries as well what you
state above that there seems to be little traction among
the proponents for this approach.
It now seems it is up to individual domains to participate
as deemed appropriate.
Given what you note above concerning the revised drafts not
referencing SMTP MAIL FROM at all, this also means should
MS decide to make an IPR claim, along with asking for a
license, the whole licensing issue will surface again.
Thank you for taking the time to clarify where the WG is at
this point in time, viz "Sender-ID" having attended the
meeting and outlining what the new drafts will look like.
John
John Glube
Toronto, Canada
The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.734 / Virus Database: 488 - Release Date: 04/08/2004