spf-discuss
[Top] [All Lists]

RE: Re: When did we lose control?

2004-10-22 03:11:56
From: Greg Connor Sent: October 22, 2004 2:49 AM

|Again, I don't think Meng is in a position to stop SPF (classic
|or spf2) from going forward.  Everyone is reacting to Meng like
|he kicked the cat. Let's move forward.

Just before we move ahead, a few questions:

* Do we have a clear understanding of where it is we want
to go with spf2.0?

* Do we need a statement of work, along with estimated time
frames for work completion?

* Do we have any input documents? 

* Who is going to write up any input documents for
discussion, if none exist? 

* How will this work be reviewed? By the list? Do we need
discussion moderators?

We are here at Meng's pleasure. Both he and Mark are the
RFC Editors. People have set out there concerns. 

To summarize, it seems the consensus is to move ahead in
putting together an open standard for spf2.0 supporting
both mail envelope and message header authentication.

It appears this protocol should not support any specific
implementation, but rather establish a framework for domain
owners to publish appropriate records and implementers to
come forward with solutions in compliance with the protocol.

I somewhat hesitant in being specific as I have a bias, in
the sense of not asking okay we need to thwart spoofing and
phishing.

But rather asking, what is the fundamental problem in terms
of the SMTP protocol which is causing difficulty and what
is the most effective way of rectifying this problem, with
the least overhead and which is the easiest to implement?

Unfortunately, this approach has not found favor on this
list and in fairness I am not the best person to go further
than simply to ask the question. 

If one follows the analysis of developing approaches to
thwart spoofing and phishing methods, given the work done on
this list to date the protocol would set out a methodology
for mail envelope authentication which allows for:

* an "SPF classic" implementation, supported by either
sender rewriting schemes, or William's submitter proposal;
or

* an implementation using a signed envelope sender concept.

As to message header authentication, given the list
consensus, it seems the protocol set out a methodology
based on:

* William's approach, supported by William's submitter
proposal; or

* an implementation using a signed envelope sender concept.

(I caution the SES concept may be somewhat beyond MARID,
even for an experimental proposal.)

As to the specific details, I will leave that to others.

Subject to any objections, I believe it is appropriate that
Meng and Mark indicate their positions in response.

John

John Glube
Toronto, Canada

The FTC Call For Sender Authentication
http://www.learnsteps4profit.com/dne.html

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.776 / Virus Database: 523 - Release Date: 12/10/2004
 


<Prev in Thread] Current Thread [Next in Thread>