spf-discuss
[Top] [All Lists]

RE: Re: Agenda for FTC/NIST Email Authentication Su mmit

2004-11-03 11:53:53
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of wayne

I wonder if the FTC understands what they are getting into by 
creating a panel with only Harry Katz and Doug Otis 
discussing IP based
authentication.  It will be, "interesting".   If there was an SPF
representative, I think there might be some productive output.

In dealling with such organizations you should first be aware of the real
questions that they are asking. Their interest is legislation and executive
branch functions, not technology.

From a practical point of view the submissions deadline closed long ago.

From a political point of view the real question that is being asked is
'should there be some form of government endorsement of an email
authentication technology and if so which technology should be endorsed and
should that endorsement be simple encouragement or some form of coertion
ranging from regulation to legislation?'

If your objective here is to achieve some form of endorsement you certainly
do not want internal industry squabbles being laundered in public.

The party line is that publishing SPF syntax records is safe, has minimal
operational impact on senders and brings significant advantages.
Cryptographic authentication such as that proposed in IIM and Domain Keys
provides significant additional advantages, particularlyfor brands targetted
by phishing but does have a significan operational impact and there is not
currently a consensus industry specification, although this is rapidly
converging.

The desired outcome being:
  * Encouragement for all email senders to publish SPF records forthwith.
  * Encouragement of financial institutions targetted by phishing to examine
       cryptographic mechanisms.
  * Possible future regulations to require regulated FIs to use both forms 
       of authentication on outgoing email.

Since the PRA component is only relevant to the interpretation of the
records it is irrelevant to any rules that the FTC might impose. I don't see
why anyone would expect the FTC or any other party to regulate how people
filter their mail.


<Prev in Thread] Current Thread [Next in Thread>