In <20040924173822(_dot_)873A661B(_at_)dumbo(_dot_)pobox(_dot_)com>
mengwong(_at_)dumbo(_dot_)pobox(_dot_)com (Meng Weng Wong) writes:
So someone had the idea that we should have an Official
Statement to release to the Media. Would anybody like to
help iterate this? Let me know if I left anything out, and
if people are reasonably comfortable with it we can put it
out there on a web page or something.
Good idea.
What I've learned from this is: there are many right things,
and we'll probably end up doing more than just one. An
elephant is like a wall, like a spear, like a snake, a tree,
a fan, a rope. [...]
While I understand this sentence, it confused me on first reading. I
think a better analogy for email security is that in the real world,
people put locks on their doors, have police, form community watches,
and add safety lights. None, by themselves, solve the crime problems,
but each one helps.
Picking just one authentication technique is like saying
"henceforth, all gas stations shall sell only 89 octane."
But the market wants 87, 89, 91 and diesel too. There's
lots of room at the pump. What does the future hold? All
of the above.
Again, I think a stronger analogy is between email security and
physical security.
Facts:
an estimated half million domains have published SPF
records.
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200409/0746.html
That isn't an estimate, that is a count. I can give you a list of
650k domains that have SPF records. (In fact, I have give this list
to the SPF adoption roll, I'm not sure if it will be included though.)
When you combine my list of 650k known domains with the adoption roll,
you can say "Fact: nearly three quarters of a million domains have
published SPF records." I think it would be reasonable to even say
that there is an estimated 1 million published SPF records.
Meanwhile, working with Microsoft on Sender ID, we have
defined a spf2.0 specification which will be backward
compatible with the spf1 records out there; and it will give
senders in unusual situations greater expressiveness.
I have problems with this part.
The short-lived "spf2.0" record definition was not backwards
compatible with "v=spf1" records. You and Mark explicitly did not
want to add that compatiblity. Also, are you really still working
with MS? Are they committed to staying with the specs, or are they
going to go off and do their own thing? Is it wise to try to speak
for them?
What about the PRA? The IETF has asked for individual submissions,
but if you submit the PRA as a scope, you will run into the same
buzzsaw trying to get an individually submitted draft accepted as an
RFC as what happened in the MARID working group. The sparks will just
fly at the IESG "last call" level, rather than the working group "last
call".
So, if you try to support the PRA, you aren't going to get an RFC. If
you don't support the PRA, you probably won't get support from MS. If
you just try to push a new spec without trying to get IETF RFC status,
and you include the PRA, you are going to lose a huge amount of
support from the SPF community.
Since this document is claiming to be from the "SPF community", and
very few of us think the PRA is technically useful, I think you need
to say that we are dropping the PRA.
-wayne