-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have several amendments. I'll discuss them if people want an explanation.
On Friday 24 September 2004 10:38 am, Meng Weng Wong wrote:
While the disbanding came as a bit of a surprise, I now see
why it was a necessary move. There were a number of
proposals on the table; because there was little consensus
that we should pick just one, the co-chairs decided to
pretty much publish all the contenders as experimental
proposals, and let them evolve and let the market decide.
This actually makes sense. Why? Good standards are not
unilaterally decided by committee and then announced for the
world to adopt. Good standards evolve organically, and only
after the world has already adopted them, does the IETF step
in, formalize, and bless them.
Spam was such an urgent problem that we thought we could
take a gamble: we tried to short-cut the process. We
thought, "wouldn't it be much more efficient if we could
just tell everybody to do the right thing?" But we found
that people had different ideas about what the right thing
was.
What I've learned from this is: there are many right things,
and we'll probably end up doing more than just one. An
elephant is like a wall, like a spear, like a snake, a tree,
a fan, a rope. In the same way, sender authentication needs
more than one approach: we need to authenticate the HELO
hostname, the return path, and the headers, and besides that
we'll also need crypto.
Replace with:
What I've learned from this is that there are many proper solutions. We may
end up doing more than just one of them. In the fable of the blind men
trying to identify the elephant, the elephant is identified as a spear, a
snake, a tree, a fan, and a rope. None of them are completely wrong; each
holds a key to the correct identification. In the same way, the solution
for sender authentication lies in more than one of the proposals. We need
to authenticate the HELO hostname, the return path, and the headers.
Besides that, we will need cryptographic solutions as well.
So that's our plan. The SPF community will pick up the
pieces and define a "Unified SPF" standard. Unified SPF is
the whole elephant. It will work better than any one of the
proposals alone, better even than SPF Classic. We went into
MARID holding that banner, and we're coming out with a
patchwork quilt.
Replace that with:
We went into MARID holding the banner of SPF Classic. We heard other people
advocate their causes as well. We saw the value of their ideas, and now we
want to incorporate them into one unified solution. That solution is SPF
Unified.
SPF Unified allows people to pick which authentication technique best suits
their needs. It does so in a consistent way that is easy to implement. We
can't tell which one of these methods will be the best until we see them
all in practice. SPF Unified provides a way to try them all out.
Picking just one authentication technique is like saying
"henceforth, all gas stations shall sell only 89 octane."
But the market wants 87, 89, 91 and diesel too. There's
lots of room at the pump. What does the future hold? All
of the above.
Strike this paragraph.
Facts:
an estimated half million domains have published SPF
records.
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200409/0746.html
Major providers are checking SPF records; Microsoft has
stated by Oct 1; GMail is already checking (you need to view
full headers); and AOL has plans to convert its IP-based
whitelists to SPF by the end of the year.
Replace with:
SPF is already being implemented. Microsoft will check headers starting on
October 1. AOL will check headers by the end of the year. GMail is already
checking headers.
The SPF community plans to take the existing records and
squeeze as much use out of them as we can.
Add: "SPF Unified will use these existing records."
Meanwhile, working with Microsoft on Sender ID, we have
defined a spf2.0 specification which will be backward
compatible with the spf1 records out there; and it will give
senders in unusual situations greater expressiveness.
Strike "and" after the semicolon.
So even though the IETF group is officially disbanded, the
show will go on. MARID may be dead, but SPF is not.
http://www.circleid.com/article/765_0_1_0_C
http://www.circleid.com/article/742_0_1_0_C
- --
Jonathan M. Gardner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFBVGATBFeYcclU5Q0RAhB5AJ94lOd3YywBSm7cnH9azlxJRFFJTQCg4vg/
Xuh0zJnMdvPWgMmSWfovEIY=
=mu0n
-----END PGP SIGNATURE-----