Re: [tlug] SPF info

["Stephen J. Turnbull" <stephen@example.com>]

>>>>> "Evan" == Evan Monroig <evan.monroig@example.com> writes:

    Evan> there is SenderID, a Microsoft protocol derived from SPF and
    Evan> defined is RFC 2822.

That must be a typo, RFC 2822 is the current proposed standard to
succeed RFC 822 as STD 11, the standard that defines message header
syntax and semantics.

AFAIK SenderID is not a Microsoft protocol, it's a hybrid of a
Microsoft protocol and SPF.  From what I could figure out a while ago
when looking at SPF, SenderID is overly ambitious for the internet
environment.  It tries to do too many things and will probably do none
of them well.

It also had the problem that Microsoft was trying to patent some of
the required technology, which is something we want to avoid in this
case, because there's no value-added to Microsoft's proprietary
technology that I can see---there already are non-proprietary ways of
accomplishing much the same goals.

    Evan> The article is from September 2004, and I know from
    Evan> openspf.org that the MARID working group "failed" (whatever
    Evan> that means. My guess is that they couldn't produce the
    Evan> standard that the group was set up for).

That's usually what is meant.  The way that the process works is that
ad hoc working groups put together drafts with a 6 month expiration
date, and publish them as "internet drafts".  A given group may have
several drafts available at any given time, so this is clearly not yet
a candidate for a standard.  Once the group agrees on a single draft,
there is some kind of vote and if passed, it becomes an RFC.

    Evan> So to me, the story is that the current standard for email
    Evan> sender domain verification is SPF,

No.  There is an implementation of email sender domain verification
called "SPF", and it has a standard, RFC 4408.  There may be other
ways of accomplishing similar things which are also standard, eg,
SenderID and DomainKeys.

Why?  Because you may have different environments in mind.  Eg, IIRC,
SPF is transparent to MTA topology, only the original sender is
verified.  DomainKeys assumes a network of trust, so that when a
message from A to C is relayed by B, B uses B's domain key to assure C
that B trusts A.  If SPF uses a patent, then mailing lists can ignore
it.  This is not true of DomainKeys, again IIRC.

    Evan> and that for individual sender verification, we'd better use
    Evan> GPG...

Yes.  But unlike domain verification, it's not very well-defined in
the Internet mail context.  Consider "sender" vs. "author" for
starters, and then look at various forms of resending such as mailing
lists or news-to-mail gateways.  GPG is much more appropriate to
author verification, I should think.

-- 
School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.