Julian Mehnle wrote:
I dug out Wayne's survey from September 2004[1]
Good enough.
The oldest sensible numbers from MS I could find were
"750,000 domains [...] publishing [SPF] records" in their
March 2005 press release[2]. March 2005 however is a bit
late.
ACK. I also don't find their first PR shortly after MARID
was closed, most likely they just copied what Wayne or Andy
said in mxcomp adding some fantasy factor.
Instead I added the "BATV, SES, SRS, VERP not caring about
the headers" case in my draft.
Fine.
If you can, please find "Meng's v=marid Olson CYA" article.
That's easy, two clicks away from what I just posted here in
reply to Mark, the footnote points to...
<http://article.gmane.org/gmane.ietf.mxcomp/5794>
...and that points to Meng's famous v=marid article...
<http://article.gmane.org/gmane.mail.spam.spf.discuss/8119>
...plus Wayne's comment...
<http://article.gmane.org/gmane.mail.spam.spf.discuss/8162>
...but you'd want the former. Meng's article also has a
pointer to his CYA "Olson objection" slide show.
theoretically valid, but it appears to me as quite obscure.
Okay, forget anything that's obscure - but don't use Mark's
idea for a "soft reuse of ?all".
It could be argued that the MSA just should be fixed.
Supporting 2476 6.1 enforced submission rights _without_
option 8.1 "MAY add Sender" is not at all broken, quite the
contrary. Admins thinking about 8.1 should first talk with
their lawyer, manipulating a mail header is very critical -
even today before DKIM.
Do you really think this is a _real_ security threat?
Yes. A bogus "authenticated PASS" from a trustworthy MSA is
a wet dream for all wannabe-phishers.
I haven't linked to any spf-discuss or spf-council messages
in the draft so far. Does anybody know any good candidates?
Maybe something from / to Mr. Hardie documented in the Council
list archive ? One of my two complaints here and on the IETF
list ?
<http://mid.gmane.org/42284F87(_dot_)4155(_at_)xyzzy(_dot_)claranet(_dot_)de>
<http://mid.gmane.org/42AE1431(_dot_)1276(_at_)xyzzy(_dot_)claranet(_dot_)de>
The latter has a Cc: iesg@, otherwise it's irrelevant,
you have this point already much better in your text.
Or one of the two articles where I tried a Cc: Brian ?
<http://mid.gmane.org/42AE230E(_dot_)3BA3(_at_)xyzzy(_dot_)claranet(_dot_)de>
<http://mid.gmane.org/42AE230E(_dot_)3BA3(_at_)xyzzy(_dot_)claranet(_dot_)de>
The latter isn't _too_ bad, it's not about Mr. Hardie.
OTOH Brian didn't answer, so this wasn't the required
attempt of a peaceful settlement before calling the
IAB because of a "process failure".
Your appeal starts this procedure in the proper order,
first IESG, later if necessary IAB.
Bye, Frank