-----Original Message-----
From: Wayne Sent: December 5, 2004 2:35 PM
|My intent on having the council vote on this is to put this
|issue to rest. There were/are, however, several candidates
|who have express reservations with this and did not sign
|it. I cross-posted this agenda request to spf-discuss as a
|way of saying "Speak now, or forever hold your peace."
In moving any proposal forward, elements of marketing,
promotion and advertising involved.
The PRA statement is a form of negative advertising. By
attacking PRA authentication, ultimately you raise
questions about MAIL FROM authentication as both methods
rely on the SPF record.
I appreciate many folks have a strong animus towards MS.
But I believe making the PRA statement a founding position
of the SPF community will come back to haunt this group,
should the decision be made to do more than merely act as
technical body to shepherd an internet draft for SPF
through the IESG approval process.
Why? MS is such a significant player in the market place
you can't ignore them. For example, MS would find it very
difficult to support any standards body proposed by a group
which had the PRA statement as one of its tenants.
Having said this, I am not enamoured with PRA
authentication. I believe the proposal is flawed for a
variety of reasons. But, the operative word in this
situation is my belief. Sure, we can dress that belief up
into a series of nice sounding technical concerns.
However, without an outside technically focused review,
along with significant testing in the wild, we don't have
any hard data to verify the concerns.
I am not saying don't adopt the position. I am simply
saying, if the SPF community decides to adopt the PRA
position as an official statement, people need to
appreciate this will have negative consequences as to any
future dealings with MS and the legions of people who are
MS users and supporters.
As I have said previously, once the Internet drafts for PRA
authentication were filed, the position changed. In the
circumstances, I would suggest it is better to leave the
statement as that by a concerned group of technologists,
which the SPF community at large can acknowledge and
reference, without making it a formal position.
||And I suggest that SPF Council on behalf of SPF community
||write a letter to FTC thanking them for organizing the
||summit (several pages letter based on John Glube's
||original one would be good)
|Indeed, you have suggested that before and as a result, I
|added it to the "informal rough draft agenda"[1] for the
|first council meeting. Unfortunatly, we didn't make it that
|far down the list.
|
|I personally think that John's letter[2] is too long (5
|pages) and doesn't really reflect the SPF community on some
|subjects. For example, it gives equal time to both SPF and
|SenderID. It also promotes the CLEAR proposals, CSV and
|BATV, instead of SPF/HELO, SES and SRS. It says that SPF
|is both expensive and experiemental, while not mention this
|about the CLEAR/MASS proposals.
The community at large is free to amend the letter or
reject it.
However, it was written with a clear objective in mind. To
put forward a relatively nuanced position and point out
that none of the authentication proposals, including SIDF
are CLEAR are "ready for prime time."
Of course, if people want to cut and slash at PRA, CLEAR,
DK and so forth, while promoting SPF and SES as being "the"
solution, go ahead. But, to my mind that defeats the very
purpose of such a letter.
The FTC and NIST held a conference asking a series of
questions. What the FTC and NIST are looking for is a way
forward, so that industry can come up with one or more
authentication standards.
If industry can't come up with a realistic solution, then
among other things, the FTC will go back to Congress and
ask for a mandate to design and implement a standard.
The letter I drafted takes a stance towards the various
proposals which reflects the underlying reality.
For example, just looking at SPF for the moment:
* SPF has never been subject to a focused technical review
by an outside panel of experts.
* The SPF community is still debating a final protocol
draft for v=spf1.
* Based on preliminary analysis, SPF will have a higher
cost in DNS lookups than CSV.
* It seems that SRS is not a good solution for forwarding
and even if it is, there is no Internet specification
draft.
As to SES, to my knowledge an Internet specification draft
does not exist, although I stand to be corrected on this
point.
At day's end, when the IESG closed MARID, it asked for
individual submissions for consideration as IETF backed
experimental proposals, subject to a focused technical
review.
So, before folks start leaping up and down saying SPF and
SES "is" the only way forward and "is ready for prime time," I
would suggest the SPF community needs to finish the work in
hand.
John
P.S. Congratulations to all those elected to the SPF Council.
John Glube
Toronto, Canada
For The Record, Will Microsoft Own Email?
http://www.learnsteps4profit.com/wme.html
What Does Microsoft Have To Hide?
http://www.learnsteps4profit.com/let.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.805 / Virus Database: 547 - Release Date: 03/12/2004