On Wed, 3 Nov 2004, Hallam-Baker, Phillip wrote:
In dealling with such organizations you should first be aware of the real
questions that they are asking. Their interest is legislation and executive
branch functions, not technology.
In this case they may actually be interested in technolog a lot more then
usual and in details of those technologies. This is pretty rare of such
government agencies.
From a practical point of view the submissions deadline closed long ago.
From a political point of view the real question that is being asked is
'should there be some form of government endorsement of an email
authentication technology and if so which technology should be endorsed and
should that endorsement be simple encouragement or some form of coertion
ranging from regulation to legislation?'
If your objective here is to achieve some form of endorsement you certainly
do not want internal industry squabbles being laundered in public.
I have doubts they will provide official endorsement but who knows...
The party line is that publishing SPF syntax records is safe, has minimal
operational impact on senders and brings significant advantages.
That is exactly the problem - it is not safe with PRA algorithm and has
possibility of significant operational impact (on senders whose email is
imroperly rejected)
Cryptographic authentication such as that proposed in IIM and Domain Keys
provides significant additional advantages, particularlyfor brands targetted
by phishing but does have a significant operational impact
The meaning of word "impact" is important here. If you mean that it requires
more programming and changes to support such technology, then it is true,
But if it we take impact to mean how it effects senders as impact on what
of their emails get through or not, then cryptography is better and safer
and has less impact on email infrastructure.
and there is not currently a consensus industry specification, although
this is rapidly converging.
Most of emails software used in the world is made by authors of F/OSS and
they are not part of what you might want to call "industry" and are not
involved in what you want to call a consensus. The specification that they
agree to implement are email RFCs produced by IETF and so far IETF has not
been willing to be put in the position of political pawn for some large
organizations who want people to implement their propriatary solution.
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
http://www.elan.net/~william/emailsecurity/