From: Henry Spencer (henry@spsystems.net)
Date: Wed Jun 05 2002 - 14:55:37 CDT
On Wed, 5 Jun 2002, John Stanley wrote:
> >Moreover, I actually paid attention to Charles's last-call
> >deadline for comments.
>
> That's nice for you. You might notice that I replied to something you
> sent. It's a bit disengenuous to imply that your comments cannot be
> replied to because you made them so close to the end of the artificially
> created "last-call" deadline.
Actually, I made the comments in question *after* said deadline, in response
to other commentary. But you clearly had at least one issue with draft 07,
and you didn't say anything at all before the deadline -- why not?
> And I notice that you did not chastise
> anyone else you are currently in discussion with about this.
I was merely responding in kind to your accusation that I hadn't read
the draft. "Oh kettle, thou art black."
> > How so? The draft does not define "address",
>
> The draft is written in English (or english, for those who wish to whine
> about spelling or capitalization).
Quite so. A rather imprecise language, that, unless great care is taken.
(In my desk dictionary, "address" as a noun has seven different meanings
listed, not counting variations within several of them.)
> >... a distinction between an "address" and a "valid address".
>
> So, tell me, for whom is "joe@bite.me.you.damn.spammers" an address?
It is an address for everyone, but not a *valid* address for anyone. At
least, not now -- it is not unthinkable that there might be a ".spammers"
TLD someday. (Which is why, if you want an address which is *guaranteed*
invalid, you should put it in either .invalid or a domain you control,
rather than inventing a domain at random.)
> It's not an address. It goes nowhere.
Later in this very message, you yourself say:
When you do a DNS lookup on the domain
"bite.me.you.damn.spammers", the result might be an indication whether or
not that address is valid.
Note that last line. This would seem to indicate that you too believe it
is an address, and that the only question is whether it's a valid address.
> This sudden desire on your part to cut off debate because Charles says so
> doesn't change the fact that this "quirk of wording" has been in the draft
> for a long time and was pointed out a long time ago.
When Charles asked for any remaining comments on an intended-to-be-final
draft, nothing was heard on the matter.
> > The standard is primarily addressed to implementors, not users.
>
> The standard applies to users, too.
Certainly; note the word "primarily". It has implications for users, but
like all standards, it is directed at people who will read it carefully
and thoroughly, rather than jumping to conclusions based on an isolated
phrase.
> I've give you a free clue, though. When you do a DNS lookup on the domain
> "bite.me.you.damn.spammers", the result might be an indication whether or
> not that address is valid.
Or it might not, depending on whether the relevant DNS servers are up and
accessible from my machine at the time. It's even possible that your
registration for the .spammers TLD is supposed to go through tomorrow and
you're just anticipating it a bit. What's more, because of things like
wildcard MXes, getting data back from the DNS lookup doesn't actually
prove much about the domain's validity, never mind that of the address.
> >And what about the terser jerk who writes it "joe@bite.me", without
> >considering that .me may be a valid TLD?
>
> 1) It isn't. It took me less than 15 seconds to figure that out. 2) If it
> were, it is outside the scope of this discussion, since we aren't talking
> about forged addresses, only munged ones.
Why do you believe there is a sharp distinction between the two? Quite
possibly there may someday be a .me TLD. The only address that is
*guaranteed* munged rather than forged, without domain-specific knowledge,
is one that ends in .invalid.
> >The way for a user to determine such things is
> >by reading a suitable tutorial, not a standard.
>
> And just what document do you imagine might be used as a reference for any
> such tutorial? And do you think that tutorial should match this draft or
> contradict it? Just what document is the user supposed to read if he wants
> to learn more than the tutorial tells him?
To take an example that our esteemed editor will recognize, if the user
wants to learn more than the "Informal Introduction to Algol 68" will
teach him, he needs to read the Algol 68 Report... but he will not find it
easy reading, nor will he be likely to get the right answer if he seizes
on a single sentence from it without carefully understanding the context.
A tutorial author has a non-trivial job to do, not just in deciding what
(if anything) to leave out, but in pulling together all information about
a specific topic from various places in the standard where it is
addressed, and explaining the exact implications. That is why a user
should be reading a tutorial, not a standard. Our standard is actually
better than most in discussing the implications of its rules, but it
cannot realistically cover everything.
> No, sir, silently circumventing the user's explicit action is wrong, and
> should be clearly identified as such in this draft.
What, exactly, constitutes "the user's explicit action"? It is not
trivial for the software to decide whether a user is deliberately using an
unreplyable address, or whether this is just the result of a typo or the
software's inevitably-incomplete information about validity of addresses.
On thinking about this, it occurs to me that there is a reasonable way to
accommodate your wishes. We forbid injectors to silently supply further
address information... if, and only if, the address in the From header
ends in ".invalid".
That is, after all, the *only* definitive proof -- aside from information
conveyed by implementation-dependent channels specific to the software --
that the address is *deliberately* invalid.
In that specific case, it's reasonable to forbid adding further address
information without user approval. You can ask, or you can refuse the
article, but you can't silently add address information. But only if the
user has *explicitly* indicated his intentions, by using the .invalid TLD.
Henry Spencer
henry@spsystems.net