spf-discuss
[Top] [All Lists]

Re: change of version string

2004-08-06 14:24:29
Meng,

Just a quick follow up. In going through the jabber notes
of the discussion surrounding Submitter, I find the
following:

[11:13:04] <ggm> David. jim ,made claim will save b/w.
reality most spam producers are not paying. by time
processing is already in machine. so no benefit."

Unclear who David is, but believe Dave Crocker. Jim refers
to Jim Lyons.

Ultimately, in response, the strongest comment which
supports the view point of doing a mail from check as a
precursor to doing a PRA/header check was made by Harry
Katz:

[11:13:27] <ggm> Harry. perform spoof check, can reject at
821 time, before have accepted data over the wire. if you
accept msg data, can do additional PRA/hdr check.

Clearly this discussion indicates people understood the
issue and people were in agreement it was appropriate to:

perform a spoof check ... at 821 time.

(Quoting from the answer given by Harry Katz.)

How do you a spoof check within the context of marid
protocol and core? By doing an SPF classic mail from check. 

As an aside you could add an ehelo check and a ptr check
which backs you right into spf unified.

This is why I was raising the spf unified, but that is a
separate issue.

My point. I strongly suggest that from the record of the
jabber session there was a clear understanding of the need
to:

perform spoof check, can reject at 821 time, before have
accepted data over the wire...

to again quote from Harry Katz as noted above.

Trusting this helps. If you require more, please let me
know.

John

P.S. Is that clear enough:-) See also the original message
below.

John Glube
Toronto, Canada

The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html

-------------- marked original message --------------------

John Glube wrote, 
Given this response, I must ask what the heck is going on?

Mark Lentczner wrote, 
What is with you folks?  Geez, I'm just a guy who's been
doing a bunch of heavy lifting as best I can.  Don't get
all wonky with me!

Mark,

I understand, however as you must appreciate this whole PRA
issue is troubling and in fairness the stance taken left me
a bit cold.

Okay, as suggested I sat down and read through the jabber
session:

http://www.xmpp.org/ietf-logs/marid(_at_)ietf(_dot_)xmpp(_dot_)org/2004-08-04.html

Here is what I gleaned:

On submitter, there were issues concerning implementation
and effectiveness.

With the protocol there were two big issues:

* Moving from txt to RR for writing policy records; and

* Coping with the change of version string.

There were also some minor issues concerning the actual
protocol.

On the IPR and license, the question was what is MS claiming
the IPR on? Unclear, but seems on PRA. As to the license
terms this was a big issue for lots of folks. (For example,
Sendmail unable to do any testing.) MS was given until Aug
23 to make full disclosure on IPR and license. This is a
drop dead date.

(It was acknowledged there is a firm in UK making a claim to
Sender-ID by way of trade mark.)

Reason, do engineering first, finish this and then make
disclosure. MS understands this will be an issue and dealt
with during last call.

On the PRA, Jim Lyons made a presentation. Questions were
raised about the effectiveness of the PRA. Decided to split
the PRA from the core. At the same time an alternative draft
to be worked on for PRA if MS insists on IPR and license.
Douglas Otis to do this draft.

Acknowledged no testing done on PRA. Sendmail unable to do
any testing until license issue resolved.

Then discussion moved on to CSV.

Now, I appreciate you were present, but my sense was it
would be appropriate to leave in MAIL FROM testing in either
the protocol or core.

Why? The view was that it may take a while to implement
submitter and therefore in the absence of Sender from checks
we would be doing MAIL From checks anyway.

My suggestion would be to go over the notes and make sure
Mail from checks has to come out of the draft. Besides, if
one does a mail from check and there is a failure, why waste
time on all of the rest.

If there is a pass, you can still leave in the requirement
for a PRA check.

Taking this approach would serve two purposes.

It would enhance the final drafts and also overcome the
concerns raised about ongoing application of IPR and the
license, allowing people to continue to work on
development surrounding submitter, protocol and core and
leave PRA aside until the IPR and license issue was settled.

My proposal? Leave in a MAIL FROM check requirement in
either Protocol or Core as a suggested pre-cursor to doing
PRA and then if others want it out, let them ask and we can
respond on the issue over at Marid.

Trusting this helps to resolve the issue.

John

P.S. I am not going to raise this over at MARID as I view
this as an internal SPF issue. Others are of course free to
do so. Cheers, John

John Glube
Toronto, Canada

The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.734 / Virus Database: 488 - Release Date: 04/08/2004