SPF List Members,
I have been thinking about an area of the SPF spec that could conceivably
cause those who implement SPF checking in their applications quite a bit of
trouble when reading some published SPF TXT records.
I imagine those who are developing their applications would also see this,
but the last thing I would want to do is to cause pain for SPF application
developers, and especially so for some larger ISPs who may be using such
software in an online testing mode, should it be remotely possible they
missed this in their implementation(s). Indeed, the problem may have
already been discussed but is apparently not addressed in the SPF
specification.
I have some thoughts on how to correct the potential problems, but in
presenting those thoughts, I would expose the specification
weakness. Because the nature of the exploit might cause the application to
crash or lock up. Acknowledging that this is a general list,
responsibility in posting dictates I ask others here how to go about this
process.
So, how does one responsibly disclose an issue in a public list for a
project without causing some potentially sort term yet foreseeable
implementation problems for some SPF application developers?
Best,
Alan Maitland
The Commerce Company - Making Commerce Simple(sm)
http://WWW.Commerco.Com/