spf-discuss
[Top] [All Lists]

RE: Re: DEPLOY: SPF/Sender ID support in Courier.

2004-08-28 00:36:57
At 12:23 AM 8/28/2004 -0400, Stuart D. Gathman wrote:
On Fri, 27 Aug 2004, Jake S wrote:

I enjoy SPF - the email type not the sun block type - it works for me and my
small company but I rely on courier for our business.  If Sam cannot support
the future incarnation of SPF (SenderID if I'm correct) then I can't either
and I'm fairly certain that courier has a fairly large install base.  How
should we go about this and / or deal with this statement?

Continue enjoying SPF.  Unlike SPF, SenderID has never been tested - we don't
know whether it is truly an improvement.  SenderID is encumbered by the
M$ patent (which seems like another stupid one to me - to see who purportly
sent the message you ... duhhhh ... let me see .... duhhh ... look at
the headers?  I would have never thought of that!).  So just ignore it
until:

 a) it has actually been found to work
and
 b) it is unencumbered


My 2 cents...

Actually I think where Microsoft is headed with all this in future is a 
per-user cryptography, like SenderKeys, but under their own control.  Allow me 
to explain my reasoning.

Note that Microsoft has made public announcements about the future value of 
"hashcash" technique, where the cost of sending is increased by apply some 
computer algorithm.  Note that public key cryptography at the MUA with huge 
keys is a way to accomplish this.

Thus I see SenderID and the algorithms for parsing, as the first salvo in what 
will eventually be those algorithms everywhere and then Microsoft can force 
people to license those algorithms in order to enable their Signers (e.g. MUAs) 
and Verifiers (e.g. MTAs).  As I said in the "Patent license" thread, 
Microsoft's apparent goal in past is to wrest control into their clients (e.g. 
IE, Outlook, Windows) so that the power of others is irrelevant.

Microsoft's advantage is always to turn the control back to the client, which 
is why I guess people here would oppose SenderKeys, but I think an open 
standard for per-user signing could pre-empt.  I know Microsoft can crush 
SenderKeys in a heart beat.  I have no illusion about that.  I am just trying 
to do something.  Note the Privacy section of SenderKeys has been drastically 
improved.

That is to say I think we need open standards for both viable per-domain 
anti-forgery (SPF) and per-use built on top of and orthogonal to per-domain 
(SPF).

I disclaim any knowledge about Microsoft plans and I disclaim that this is 
true.  This is my version of fiction.  Read it into what you want to.

(got my flame redardent jacket on waiting for replies :)


<Prev in Thread] Current Thread [Next in Thread>