Speaking of productive discussion, I replied to an earlier message of
yours, and I think I addressed most of the points you were making there.
Is there any particular reason you chose a number of other messages to
reply to but not mine?
no reason that i can recall. if anything, i've been concerned about posting
too much too this list, so i have not been trying to respond to everyone's
posts to me.
so, herewith:
On Thu, 18 Nov 2004 21:58:08 -0800, Greg Connor wrote:
My opinion also is that the domain owner must make this decision on behalf
of all the users of the domain.
What are the criteria they should use? Where do they get guidance for the
environments that work well with spf and the ones that do not?
I think I have had similar conversations before with Dave, so I'm pretty
sure Dave doesn't misunderstand the concept. My guess is that he just
disagrees with the philosophy of having to pick a sending plan ahead of
time and stick to it.
exactly.
> It's a lot like saying that you cannot drop a postal letter into just any
> ol' mailbox, because you would need to pre-register it with the
> letter-carrier who will drop it in the delivery mail slot.
I submit that by converting the essential information to a metaphor
enhances its clarity, but doesn't do much for its accuracy. For example,
the postal service doesn't have 90% of its incoming letters sent postage
due with fake or missing return addresses.
Since the example was being used to represent the control structure, the
difference in threat models is not relevant. First, we need to get some
agreement about the nature of the impact on usage choices. So far, we do not
seem to be able to do that.
In general, restricting legitimate usage cases -- forever -- seems rather
Draconian, especially when we have so far obtained no evidence that the
mechanism will have the desired result. And getting the evidence will be
difficult, because there is so much confusion about what exact results are
desired.
> We're sitting in a meeting. My friend is not a geek; they do not
> administer domain names...
>
> Now, how is this scenario unreasonable and/or how can spf work
> "correctly" in this real-world situation.
(By the way, the use of the term "correctly" also implies a value
judgement.
Given that spf is a technical specification and that the computer science
construct of correct operation is actually an area of formal study, I did not
mean anything about jugement (by which I assume you meant subjective
assessment.) I meant that there are presumably desired effects in using spf
and there is presumably a desired array of usage scenarios in which it can be
applied successfully.
If you want people to stop describing "spontaneous" usage as
"forged" or "unauthorized", then perhaps you could also avoid describing
the known limitations and tradeoffs of SPF as "incorrect"... Each side of
I already have. What I did was to ask how spf could do its job for some
specific, legitimate usage scenarios. My own understanding of SPF is that it
does not support them. I was therefore asking how it could, as in how does it
operate successfully in those scenarios?
The roaming problem is a well-known one with many different solutions, a
number of which could probably be used here.
Here's where subjective judgement will come in. What solutions are likely to
be viable in the real world, which means both work successfully and be
tolerable to their users?
A technical solution would be to reconfigure your friend's mail program to
send to your (company or isp) smtp-auth server and supply your smtp-auth
Reconfigure on the fly? And you think that is applicable to the general
Internet user population? That is, you think that it can reasonably be used by
the 999,000,000 users of the Internet who are really, seriously and thoroughly
not technical? (I'm making a handwave estimate that there are a million of us
who might be able to do the reconfigure; and it doesn't matter much if I'm off
by an order of magnitude. In any event, I'm ignoring how many of us would find
the task too much hassle. For example, I am trying to imagine similar human
factors usability choices when I borrow a friend's cell phone.)
A less technical, more accessible solution would be to request web access
(OWA, squirrel mail, whatever) from your company or ISP.
This is trying to solve blocked, legitimate scenarios by forcing people into
different scenarios.
d/
--
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
www.brandenburg.com