On Sat, 6 Nov 2004, Koen Martens wrote:
On Fri, Nov 05, 2004 at 11:58:33AM -0600, wayne wrote:
As far as my personal position on SenderID, I have long held that:
* The patent license is incompatible with far too large a percentage
of deployed MTAs for it to become a standard (de-jure or de-facto).
Unless a widely accepted alternative that covers the From: header
can be found, I will work to stop any standardization on the PRA.
* The PRA has many technical problems that make it unsuitable for use
in the real world.
* The PRA doesn't protect the From: header when phishing is going
on. So, the PRA only protects it when there is no need to protect
it.
* The PRA gives false positives (fails) on all the same things that
SPF does, but also fails on mailing lists and on some
person-to-person email when the MTAs incorrectly add the wrong
Sender: header.
From what I can tell, since mail coming from mailing lists are far
more common than mail coming from forwarders, this means that the
PRA has an error rate of at least 10 and maybe up to 1000 times as
high as SPF-classic.
* SenderID re-purposes the v=spf1 records. This will cause failures
in cases where deployed SPF records currently work. In some
cases, those failures can be fixed by changing things, in others
(e.g. SES exists:), it can't
* The PRA has had very limited deployment and testing, making it far
riskier than SPF-classic.
* The PRA requires the use of the Resent-* headers that many people
believe is inconsistent with the use defined in RFC2822. Almost(?)
no one currently uses these headers for either mailing lists nor
forwarding.
The only reason that I can tell that the Resent-* headers are used
instead of a new, PRA specific header, is that it a new header
would making very obvious that this is a significant change to the
current email enviroment.
I'm sorry that this isn't a web page as you asked for. I could create
one easily enough, but it would still be my opinion, and not the
consensus of the SPF community.
If I've missed something and I can help, please let me know.
Actually, that's pretty much what I would have come up with. Should we
take it to a vote? I vote yes for this text.
Meng said this was urgent and we really don't have time for voting in this
case. So go for it (with whatever modifications you feel are appropriate
as suggested by Mark Holm and me).
After its published if you have capabilities for it, add form on the
buttom where one can "sign" that they agree with this text (give your name
and email address and small comment - your "signature" is then verified by
email) and collect and publish list of those who agree with this position.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net