So, how does one responsibly disclose an issue in a public list for a
project without causing some potentially sort term yet foreseeable
implementation problems for some SPF application developers?
The best way is to openly disclose it right here, right now, on this
list. *IF* the problem were a specific vulnerability with a specific
set of implementations, *THEN* perhaps it would be best to first
contact the developers of such software and determine how quickly they
can implement a patch, and then to time your public disclosure to match
the release of the fixed software.
However, I get the sense that your concern is a general issue with the
SPF protocol, and that some tweaks to the protocol, or the standard way
of implementing it would close the hole you see. Therefore, the best
way is to get it out in the open as soon as possible.
- Mark
Mark Lentczner
http://www.ozonehouse.com/mark/
markl(_at_)glyphic(_dot_)com