Can the ID command be trusted ?

I gave what I thought was a simple valid answer to this question, and the 
answer was ignored.  Here is a second simple answer to the question.  Sorry 
to be a pain, but this is an important question, raised by several people, 
and we never seem to get to a conclusion.  I suspect we will not reach a 
conclusion here, but I would like to get at least a clear summary of the 
objection so that I can include it with the draft when it goes to the 
IESG.  I cannot write this summary myself, because quite honestly, I don't 
understand the objection.
To recall the context, we are talking about an incoming email that looks 
like this:
   EHLO  mailserver7.bigforwarder.com
   ID  bigforwarder.com
   MAIL FROM:<bob(_at_)sales(_dot_)some-company(_dot_)com>

> Then what's to prevent a forger from saying:
>
> ID BillGates.microsoft.com
>
> Any identity is insecure until there is some protocol for verifying it.
Every IP-authentication method has the problem what to do about 
forwarders.  We need an ID that can be used to authenticate each forwarder, 
but SMTP has no such parameter.  Different methods have solved this problem 
in different ways.
Sender ID has added a SUBMITTER parameter:
MAIL FROM:<bob(_at_)sales(_dot_)some-company(_dot_)com> 
SUBMITTER=bigforwarder.com

SPF uses SRS to "rewrite" the MAIL FROM command:
MAIL FROM:<bob#sales(_dot_)some-company(_dot_)com(_at_)bigforwarder(_dot_)com>

Neither of these can serve as a neutral ID declaration, due to restrictions 
in each specification.  SUBMITTER must be used with Sender ID and SRS must 
be used with SPF.
All information in SMTP commands can be forged.  Any ID must be 
authenticated, whether it is provided as a SUBMITTER value, embedded in the 
MAIL FROM command, or provided in a separate command.  There is no 
difference in the security of one syntax versus another.
It is the ID owner's responsibility to provide DNS authentication records 
appropriate for its chosen authentication methods.  If SUBMITTER is to be 
supported, then Sender ID records must be provided.  If SRS is to be 
supported, then SPF records must be provided.  If the ID command is to be 
supported, then records must be provided for at least one method the 
receiver has installed.  The ID command provides the same information as 
the alternatives, but without the restriction that it must be used with 
only one authentication method.
For example, if a query to _AUTH.<ID> (or whatever is the neutral location) 
shows only SPF records are provided, then the receiver must run an SPF 
check, using the ID as if it had been provided by the SRS syntax.  If only 
Sender ID records are provided, then the ID must be treated as if it had 
been provided using the SUBMITTER syntax.  If only CSV records are 
provided, then the EHLO identity must be checked exactly as required by 
that method.  If records are provided supporting different methods, then 
the receiver may have some flexibility in choosing which method to apply.
--
Dave
************************************************************     *
* David MacQuigg, PhD     email: david_macquigg at yahoo.com     *  *
* IC Design Engineer            phone:  USA 520-721-4583      *  *  *
* Analog Design Methodologies                                 *  *  *
*                                 9320 East Mikelyn Lane       * * *
* VRS Consulting, P.C.            Tucson, Arizona 85710          *
************************************************************     *