From: Frank Ellermann Sent: June 11, 2005
|John Glube wrote:
|
|> The ongoing wild west show based on the principle of your
|> box, your rules, without any filtering framework for
|> networks means that in the effort to fight spam, phishing,
|> viruses and worms, email will continue to be highly
|> unreliable.
|
|SPF FAIL fixes a 16 years old severe security bug in SMTP.
|
|If you must, shoot Dave Crocker and John Klensin because
|their vintage 1989 crystal balls were flawed, but please
|stay away from STD 10, Jon Postel, SPF, and Wayne Schlitt.
Yes, whether there was a security bug in SMPT which needs fixing,
or whether SMTP works, but the trust presumption needs to change,
is an underlying philosophical debate.
That being said, I have no interest in shooting anyone.
I am just telling people, in my opinion:
* The IESG is only going to approve the protocol for SPFv1,
which attempts to document what has been done in the field
as an experimental document.
* If people want to move SPFv1 forward on a standards track,
you need to set out what has been learned to date, discuss
what needs to be changed and put forward these changes,
along with a framework for recommended uses.
Even then, I am not sure the IESG would approve SPFv1 for a
standards track. Why?
No matter how you couch it, the recommendation made in the
protocol for SPFv1 concerning the use of these records
conflicts with the backward compatibility agreement that was
reached between Meng (one of the editors), AOL and MSN
allowing the use of SPFv1 records for the purpose of PRA
checking and as reflected in SIDF.
As long as this conflict continues, which it will, unless:
* SPFv1 is changed to require publishing of scope modifiers for
existing and future records, or
* The IESG were to decide to reject SIDF for experimental
status (which is unlikely);
In my view the IESG is going to resolve the matter by stating
that both proposals should proceed as experimental standards.
Please understand these are an expression of my views. I may be
wrong, but I do feel obliged to tell people. Why? Should the
Council decide to continue on the present path and the IESG
decide to reject the standard's request, community members should
be neither surprised nor shocked.
Concerning the point I made which generated the specific
response, I also urge folks to revisit this document:
Unsolicited Bulk Email: Mechanisms for Control
http://www.imc.org/ube-sol.html
Then look at the experience over the last 7 years, involving
the various efforts to control UBE.
Take what has worked and reject what has failed.
In part, this is why I think the work done by the Canadian
Task Force on Spam, which builds heavily on what was done in
Australia merits close study.
http://e-com.ic.gc.ca/epic/internet/inecic-ceac.nsf/en/h_gv00317e
.html
As to the whole area of email accountability, appreciate
there needs to be an ongoing dialogue between senders and
receivers.
Why? So that senders and those who wish to receive solicited
bulk email (be they commercial operators or not for profit
mailing lists and everything in between), along with senders
and those who wish to receive necessary transactional and
relationship email are not penalized in the ongoing fight to
control online abuse. Especially as receivers first
implement best practices to bring online abuse under control
and then continuously improve these practices to meet
ongoing threats.
John