spf-discuss
[Top] [All Lists]

will PRA checking take off anyway?

2004-10-15 09:25:25
Excellent, I think we are beginning to agree on exactly
where we disagree.

On Thu, Oct 14, 2004 at 07:20:56PM -0400, John Glube wrote:
| * There is no point in having a technical discussion about
| accommodating PRA either in version 1 (if that is possible)
| or in version 2 (which is more likely) unless we know there
| can be wide spread deployment.
| 
| * As long as Microsoft insists on having a draft patent
| license which is not compatible with the Open Standards
| Alliance model, since the vast majority of mail servers use
| software which is open source and the license is not
| compatible as made clear in the public statement of the
| Apache Foundation, there can't be wide spread acceptance
| and therefore PRA checking won't take off.

I agree with the first point, and disagree with the second.

I see the 2821.mail-from as the province of the MTA.

I see the 2822.pra as the province of the MUA.

I think we can agree that a significant population of MTAs
in use are opensource: sendmail, postfix, exim, qmail, and
the like.

Similarly, the vast majority of MUAs are commercial:
Outlook, Outlook Express, Eudora, Mac Mail.

I do not expect opensource MTA software to implement PRA
checks.

I do expect commercial MUAs to implement PRA checks.  I
expect that Microsoft will bundled PRA checks into Hotmail
and Outlook; I expect Qualcomm will bundle PRA checks into
Eudora.  They don't need our permission to use v=spf1 in PRA
scope; all they need to do is tell people they're doing
that, and people will listen.  And the patent problem is
simply irrelevant to them.  Therefore there will be
widespread acceptance of PRA in the MUA whether or not
opensource has a problem with it.

The problems with the patent license have been raised by
opensource, and they are certainly relevant to entities
which are neither MUA nor MTA --- namely, SpamAssassin.  I
am very sympathetic to that position, and I am continuing to
pressure MS to improve the license.  But, assuming we do not
succeeed in gettng MS to change the license, I think we're
still going to see widespread deployment of PRA in MUAs.
That assumption is a major factor in my argument for spf1
and PRA.  I have other arguments which I will present a bit
more coherently later :), and I will restate this one when I
do that.

This is why I see the license issue as orthogonal to the
question of allowing PRA scope into spf1.  If we allowed
HELO scope into spf1, why not PRA, when PRA scope is in
spirit much closer to mail-from scope than HELO.

I do not think the differences in record content are
substantial enough for the vast majority of publishers to
make everybody have to think about disambiguation.  We
should make only the people who want to think about it have
to think about it.  For everybody else, we should tweak the
PRA algorithm to allow for special cases: for example,
autodetection of EzMLM and Yahoo!Groups will solve the
commonest cases where the PRA algorithm returns an incorrect
result.

I am in a lot of meetings today but I would like to continue
to explore where we differ.  The goal is to reach a concise
explanation of differences which we can explain to the
media.  If the Loyal Opposition is going to mount a PR
campaign and take the message to the media directly, I
strongly suggest you formulate a position:

1) what are publishers expected to publish?
2) what are receivers to check?
3) what do we say to people who see that MS is interpreting
   v=spf1 in PRA scope?

This is just a starting point.  More on this in a bit ...