On Mon, 22 Nov 2004, Chris Haynes wrote:
"Meng Weng Wong" reported:
New subscribers to the list will now see the following text:
<snip />
October 2004: Microsoft encourages the publication of SPF
records. Microsoft will use a modified form of SPF, known as
"Sender ID", to check message headers in MUAs. Most other
MTA implementations continue to use SPF in its original form,
to check the return-path at SMTP time.
I think this is a totally unacceptable statement to put on the official SPF
list. With no caveats or warnings, the inference is that "SPF" (whatever or
whoever that is) tolerates or even supports this (ab)use of SPF by Microsoft.
I'm pretty sure the majority view here is cautious about or hostile to
Microsoft's actions.
And BTW, have Microsoft themselves actually gone public about Sender-ID being
an
MUA test? I know Meng has forecast this, and I know many of us (and those on
MARID) have suspected that this logically has to be their ultimate intent,
but I
thought the understanding here (reiterated in another post by someone earlier
today) was that MS had not yet publicly positioned Sender ID as an MUA test.
SPF (however 'modified') is not intended for MUA use and would have a basic
security flaw:- the MUA has no trusted way of knowing the IP address from
which
the eMail was sent. [At least not without something like an additional,
crypto
supported MTA-to-MUA protocol - which I wrote about in detail during the MARID
process].
Quite frankly, I feel that obviously-controversial changes like this to SPF's
'official' positioning should not be issued until the new gang-of-five has
been
elected; they should be deciding these policy-related matters.
I believe this paragraph of the message should be withdrawn immediately.
I totally agree with what Chris wrote that this paragraph does not belong
for spf-discus list and with his reasoning.
I would also say that the previous paragraph does not belong either:
"November 2004: The Messaging Anti-Abuse Working Group
sponsors a white paper titled Sender Authentication: What To Do.
http://spf.pobox.com/whitepaper.pdf";
This whitepaper is written by one person at SPF community with specific
goals in mind and with request of people other then SPF community to
promote email security mechanisms thatinclude not only SPF but others
that SPF community has no defined agreement on or input in.
The message for SPF discuss mail list should only focus on SPF and nothing
else (except possibly list etiquete which is mentioned by means of RFC1855)
Also I would like to note that saying "the proposed SPF standard" is not
quite correct as SPF is not a standard and it appears IETF was not willing
to even put "proposed" part on it. I would prefer to have that changed to
"the proposed SPF protocol".
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net