"Meng Weng Wong" reported:
New subscribers to the list will now see the following text:
<snip />
October 2004: Microsoft encourages the publication of SPF
records. Microsoft will use a modified form of SPF, known as
"Sender ID", to check message headers in MUAs. Most other
MTA implementations continue to use SPF in its original form,
to check the return-path at SMTP time.
I think this is a totally unacceptable statement to put on the official SPF
list. With no caveats or warnings, the inference is that "SPF" (whatever or
whoever that is) tolerates or even supports this (ab)use of SPF by Microsoft.
I'm pretty sure the majority view here is cautious about or hostile to
Microsoft's actions.
And BTW, have Microsoft themselves actually gone public about Sender-ID being an
MUA test? I know Meng has forecast this, and I know many of us (and those on
MARID) have suspected that this logically has to be their ultimate intent, but I
thought the understanding here (reiterated in another post by someone earlier
today) was that MS had not yet publicly positioned Sender ID as an MUA test.
SPF (however 'modified') is not intended for MUA use and would have a basic
security flaw:- the MUA has no trusted way of knowing the IP address from which
the eMail was sent. [At least not without something like an additional, crypto
supported MTA-to-MUA protocol - which I wrote about in detail during the MARID
process].
Quite frankly, I feel that obviously-controversial changes like this to SPF's
'official' positioning should not be issued until the new gang-of-five has been
elected; they should be deciding these policy-related matters.
I believe this paragraph of the message should be withdrawn immediately.
Your disappointed,
Chris Haynes