[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Greg
Connor
When I was first introduced to CSV, I said, "But wait, SPF
already has HELO
checking, can't we just use that?" For various reasons, CSV
supporters
maintain that CSV is actually better than SPF HELO checking;
This does not worry me in the slightest. I don't WANT to persuade the CSV
group. If they waste their time on CSV that is less time that they can be
spending interfering with SPF and SenderID.
What I want is simply a piece of ammunition that I can use to defuse the
issue if someone wants to invite them to be on a panel or such.
The coalition of thought leaders behind SPF and Sender ID framework is large
and growing. That is what matters.
All I want is a response in my back pocket so that if someone brings up CSV
I can give an answer of the form, 'What you are talking about there is HELO
checking, the SPF spec describes a method of HELO checking using deployed
SPF records, the technical issues raised by the CSV group have been
thoroughly considered, at this point however we are long past the stage
where we can engage in extended discussions of technical minutiae, the CSV
group cannot claim the support of any first rank industry thought leader,
every thought leader who has expressed an opinion to date has backed
SPF/Sender-ID, that includes Microsoft, AOL, Sendmail, the Email Sender
Technology Group and of course VeriSign.
(When it comes time to define Unified SPF it should be just another
scope, so we can write spf2.0/helo records, or check the
scope macro or both.)
As someone who spent three years working on HTTP-NG I don't think it is very
likely that we get to do an SPFv2. We might get to do a 1.1 cleanup version
if we are lucky.
There is lots more that must be done to stop spam and net crime. But getting
a second shot at core SPF syntax will be very hard.
Most likely way we could do it is to start a group in W3C, the leadership
council gets itself recognized by W3C as an interest group as happened with
Apache, then SPF developers can participate in whatever takes place, for
example cleaning up SPF as one component in a general email authentication /
security cleanup project. The advantage of this route is that 1) the IPR
regime is already defined (and negotiated and agreed by both Apache and
Microsoft already) and 2) even though the group is open to SPF developers it
would not necessarily be 'open to everyone with a keyboard and an opinion'.
Phill