RE: co-chair judgment of consensus related to last call period of 23-Aug-2004 to 10-Sept-2004

["Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx>]

I agree with Andy.

I thought we should have done this all along. The mail from and pra
mechanisms are merely means of interpreting and using the SPF data. The data
itself consists of no more and no less than a set of IP addresses
corresponding to approved outgoing edge servers which may or may not be
known (and specified) to be complete.

		Phill

> -----Original Message-----
> From: David Woodhouse [mailto:dwmw2@xxxxxxxxxxxxx]
> Sent: Tuesday, September 14, 2004 6:25 PM
> To: Andrew Newton
> Cc: IETF MARID WG
> Subject: Re: co-chair judgment of consensus related to last 
> call period
> of 23-Aug-2004 to 10-Sept-2004
> 
> 
> 
> On Sat, 2004-09-11 at 13:59 -0400, Andrew Newton wrote:
> > The document authors have agreed to producing new drafts 
> intended to 
> > meet the chartered work item, and a consensus call on them or the 
> > appropriate diffs will be forthcoming.  This work plan does 
> not include 
> > scopes outside of "mail from" and "pra", and it is our 
> opinion that no 
> > new work items of this type should be considered until MARID has 
> > successfully produced a first specification.
> 
> I strongly disagree with this opinion. I believe that it does not make
> sense to have multiple scopes, and certainly not to plan to add even
> more scopes later. I shall explain my reasoning:
> 
> The 'mail from' and 'pra' scopes require significant changes 
> in current
> practice, which would essentially require the entire Internet to
> 'upgrade' to conform. 
> 
> Setting aside the deployment problems posed by this, let us 
> assume that
> despite the fact that most of them haven't even discovered ESMTP yet,
> the whole world _does_ actually manage to upgrade tomorrow; to perform
> SRS and to add whatever we decide to use instead of the badly-chosen
> 'Resent-From:' header.
> 
> Once such an upgrade has occurred, the identities actually 
> _checked_ by
> either scope would be modified automatically by mail servers 
> as the mail
> is in transit -- each mail server could pick any arbitrary 'domain' to
> put into those identities for checking, as long as the DNS records for
> that 'domain' permit the IP address of the server in question. 
> 
> The identity which is being checked at each hop would no longer be
> directly related to the original sender of the mail, but merely serves
> as a verified identifier for the entity which controls the mail server
> in question, and can be used to determine a level of trust for that
> server.
> 
> Therefore, the 'mail from' and 'pra' scopes should be 
> considered equal,
> not as complementary forms of 'authentication'. Once the 
> whole world has
> upgraded, each scope provides merely an arbitrary handle by which to
> classify the mail host which is submitting a given mail.
> 
> That is why it does not make sense to offer multiple scopes. One would
> suffice, and it should be one which does not suffer potential IPR
> problems and which does not require such a worldwide 
> 'upgrade'. The HELO
> identifier checked against an IP address, or a signature on TLS
> certificates, or perhaps the SUBMITTER SMTP extension, would 
> provide an
> equally suitable identifier for the entity responsible for a 
> given mail
> server, without any of the technical difficulties.
> 
> Therefore, the working group should abandon the 'mail from' and 'pra'
> scopes and seek a _single_ scope which serves the purpose of 
> identifying
> the entity responsible for a given mail server.
> 
> The problem of true authentication of senders is a separate one which
> needs to be addressed by a true end-to-end method. To use a hop-by-hop
> method based solely on IP addresses for such a task is inherently
> insecure and is counter-productive due to the confusion it causes.
> 
> -- 
> dwmw2
> 
>