From: william(at)elan.net
Sent: October 15, 2004 11:35 PM
William you wrote,
|I really see no reason why Microsoft can't wait 6 months and let
|us hammer out SPF2 format that will include scoping support or
|introduce scoping into spf1 by some other means.
I am no fan of Microsoft's patent license as is quite
obvious. At the same time, irrespective of Microsoft, I
suggest the community at large feels waiting 6 months to
come forward with an non-cryptographic solution to deal
with message authentication using DNS records is too long,
if such a solution is realistic.
I appreciate a fair amount of thought, time and effort
needs to go into getting the protocol "right," along with
all the related work.
At the same time, do we really need 6 months to sort
things through?
For now I suggest we should simply put Microsoft aside
and focus on the tasks at hand:
* Working out a protocol which allows for two tracks -
message header and mail envelope.
* On the mail envelope side, I suggest one area of focus is
moving ahead with an approach which allows for end to end
authentication, without SRS or Submitter.
* On the message header side, the real question is can
there be an open source solution, which can allow for 2822
From checking, based on a responsible submitter concept and
does this really make sense? If such a proposal can come
forward, is it possible to allow for backward compatibility
with the existing record base, or is that simply not
realistic?
Then once this is done, the proposal can be submitted. At
the same time, if others want to use the records to form a
basis for their own proposal, since the product is open
source, as long as the algorithm used generates the same
results, fine and the IESG can assess that proposal on its
merits.
Should that proposal be encumbered, the issue of any
license will come up. At the same time, there will be an
open source solution for consideration and the IESG can
deal with the matter in the proper fashion.
Quite honestly, if people don't want to support Microsoft's
position without their changing the license, then it is
better to simply come out and say no, here are the terms
for you to participate. If these terms are not acceptable,
fine.
Then, proceed with the work, rather than be perceived as
"sitting on the project."
Why? I would be concerned that we run the risk of being
perceived as being obstructionist, rather than having a
genuine concern and dealing with the issues.
Also, we need to understand this is not a static market.
Other approaches are being worked on. Despite the view held
by many on this list that SPF classic is the "cat's meow,"
others are not so sanguine.
Keep in mind that Carl in his note to the list told this
group that AOL is also looking at doing CSV checks for
testing purposes in the near term.
The question has been raised, why is AOL considering PRA
checking? AOL has told folks we won't support PRA.
At the same time, the financial institutions are pushing
extremely hard for a technical solution to phishing.
So, while AOL may support the open source community
efforts, given it is a large corporation with diverse
interests, I would suggest it has to be prudent in how it
proceeds.
(It is a good thing in business not to upset your banker.)
Changing the topic, personally, I am of the view, it is
wrong to come up with a solution to a particular "issue."
Rather it is better to look at the question from the
fundamental perspective of what is the best approach to
resolving certain security issues, that allows for the
widest implementation, as quickly as possible with the
lowest overhead.
My complaint with PRA and my concern with SPF is that it is
a solution to a particular "issue" as opposed to looking at
the question from the underlying perspective I just
referenced.
Having said this, I don't want to stand in the way of this
group's effort.
This is why I don't think it wise to take a stance on
the work which allows others to level the charge this group
is simply delaying for the sake of delaying.
Having said this, if people honestly feel the work will
take 6 months to properly complete, then I would suggest a
work guide be established, so that folks can understand why
this is the case, some form of charter be written up,
outlining the scope of the work, along with the objectives
and people start moving ahead with the project.
John
John Glube
Toronto, Canada
The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.776 / Virus Database: 523 - Release Date: 12/10/2004