Re: [apps-discuss] Comments on draft-hryckelynck-writing-rfcs-01
hub ryck <hub.ryck@gmail.com> Thu, 17 May 2012 11:12 UTC
Return-Path: <hub.ryck@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AAB321F858D for <apps-discuss@ietfa.amsl.com>; Thu, 17 May 2012 04:12:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.733
X-Spam-Level:
X-Spam-Status: No, score=-2.733 tagged_above=-999 required=5 tests=[AWL=-0.135, BAYES_00=-2.599, GB_AFFORDABLE=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hSOUQu2oBTi5 for <apps-discuss@ietfa.amsl.com>; Thu, 17 May 2012 04:12:53 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by ietfa.amsl.com (Postfix) with ESMTP id 7E0DE21F858A for <apps-discuss@ietf.org>; Thu, 17 May 2012 04:12:53 -0700 (PDT)
Received: by dacx6 with SMTP id x6so2348155dac.31 for <apps-discuss@ietf.org>; Thu, 17 May 2012 04:12:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=qoyJmxtCPMzntmasyuIl9PrysyBuNexeIjvZ9jkUX6g=; b=cbxvIEe+mmkf4abF2x/4Dy+65NTDPJRU2QTT1NFdVu1Zs8Lxp0TBuzJIlG57CGlrqx B0t/zC4BFvQdoG8aZSwburTiAjFyJ0DqoWLSY9KVFZ8EClLO8oXgV0/e2NIicoDFH0Ia cCqKvBI1vJLh3dB9ba+OJXyMEBhdBHTbo88KkHHAxwynraHD++BZ49PgCvVerIbv4+eV 3domU8wEcNzEYkCGpGfs+EFBlgHrAu0fnIO+Y5VgRm3ZhudeBabnTBWy9hrc/mYUjNpK HECAaPaOBr4yILd9CY5i9YSg0oC+qFnCM0UmSZ6jTyBtzBegqH2nXKc7Ij9R3AMy8Jma lTvQ==
MIME-Version: 1.0
Received: by 10.68.129.102 with SMTP id nv6mr26512229pbb.38.1337253173215; Thu, 17 May 2012 04:12:53 -0700 (PDT)
Received: by 10.68.125.195 with HTTP; Thu, 17 May 2012 04:12:53 -0700 (PDT)
In-Reply-To: <6.2.5.6.2.20120429134847.08f02068@resistor.net>
References: <6.2.5.6.2.20120421143240.07253358@elandnews.com> <CAAyzDoSNZUiRnfg7tePdaSY1xjmQqqW37TbwMk8mL-uVKHEuTg@mail.gmail.com> <6.2.5.6.2.20120429134847.08f02068@resistor.net>
Date: Thu, 17 May 2012 13:12:53 +0200
Message-ID: <CAAyzDoRZLOoh2aTJJpkQaR-3Z4d33U3wD62P4346=Pqph3iBAw@mail.gmail.com>
From: hub ryck <hub.ryck@gmail.com>
To: SM <sm@resistor.net>
Content-Type: multipart/alternative; boundary="047d7b10cf775d41e304c03984b5"
X-Mailman-Approved-At: Thu, 17 May 2012 08:06:31 -0700
Cc: apps-discuss@ietf.org
Subject: Re: [apps-discuss] Comments on draft-hryckelynck-writing-rfcs-01
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2012 11:12:57 -0000
Hi, ------------------------------------ * Modified in new version "draft-hryckelynck-writing-rfcs-03" You might wish to choose a different filename for the draft as the "writing-rfcs" does not say much about the subject of the draft. * I did a mistake when I posted the first version. I wanted to change the name but I don't know how. The problem is, when I post a new version, if I change the name how the site will related it to the previous version ? ------------------------------------ ------------------------------------ *You are right. In fact I was thinking pornographic content should not be sent to a working environment. But then you could also say that some people are working in the pornographic business. So I will take another example. The draft does not mention that it is applicable to a working environment only. As you mentioned above, it can be argued that there are work environments where such content may be used. "Mails with, for example, an attempted fraud content are easy to identify as mails we MUST intercept." Some people may ask how to identify "fraud content". It's easy to say that fraud MUST be intercepted. If there is no way to identify fraud, it cannot be implemented. * "it is easy to say" is ok for me. I modified section 1 in draft "draft-hryckelynck-writing-rfcs-04" as follows : "It is easy to say that mails with, for example, an attempted fraud content are mails we must intercept." Thank you ! ------------------------------------ ------------------------------------ * I did not remember of this RFC. Thank you for the information. There are a lot of RFCs. Some of them contain good ideas, some of them contain bad ideas. It is up to you to assess whether the contents of the RFC are appropriate or not. The only differences I could find between RFC 706 and my draft are : - a list of sources to refuse against a list of source to accept - a list of sources kept per host against a list of sources kept for any host. But as RFC 706 described these differences only as possibilities and as it mentions it is an open issue, we could consider my draft is an attempt to give an answer to the same problematic. I have then referenced RFC 706 directly in section 1 in new version "draft-hryckelynck-writing-rfcs-03" as follows : "With this in mind, it MAY be useful to find a mechanism for users to choose themselves who will be able to send them some mails as that was suggested in RFC 706 [RFC706]." I suggest not using RFC 706 as a reference unless you are sure that you can make a case for why it is relevant. There were and there still are open issues. It may help to research why some of these open issues remain open after over 25 years and see whether the answer you provide was not proposed previously before being considered as not workable. * I deleted reference to RFC706 in draft "draft-hryckelynck-writing-rfcs-04" Following your suggestion "It may help to research why some of these open issues remain open after over 25 years and see whether the answer you provide was not proposed previously before being considered as not workable." I checked every expired draft containing "mail" or "smtp" or "spam". I could see that finding a way to get the user advice has been a concern for others. But none of the previous approaches I found is close from the one I propose. The previous approaches I identified (I may have miss some) in the expired drafts are mainly about : - requesting the user advice with a "Challenge/Response" - accepting or rejecting the sender adress "Challenge/response" systems add suplementary work. => First message received from a new domain has to be treated anyway and can be considered as a challenge and the user action on this message can be considered as a response. based the accept/reject on the sender address is not (yet?) affordable in both of ressources and cost. => accept/reject on the domain would be much more affordable. More over there is no method to check the user part today while we have method to check if domain exists (DNS), and if the sender who uses the domain is who he pretends to be (SPF, SENDER ID, DKIM). ------------------------------------ ------------------------------------ * "For this purpose you may need other mechanism that could be viewed as complementary like Sender ID [RFC4406], SPF [RFC4408] or DKIM [RFC6376]." That doesn't really answer the question I asked. :-) * I was not sure of what you meant when you asked "What is my opinion". I thought I had to reference both SPF and Sender ID as the note says : "The IESG takes no position about which approach is to be preferred" Also, I realized, as these RFCs are experimental, I may have referenced them as non normative ? My opinion is that it is too bad "efforts to reconcile the two approaches have failed". But I don't think it will help :-) I didn't know you were writing a draft on the subject => "draft-moonesamy-senderid-spf-conclusion-xx" I could give you a return of my own experience on this subject if you like. ------------------------------------ ------------------------------------ * As a newcomer I have a question. Do I need your authorization to reference your name as contributor in my draft ? You do not need my authorization to provide an acknowledgement. If you were to add me as an author, for example, it is better if you seek authorization first. If you are unsure, it is easier to ask.* I added your name as a contributor in the acknowledgement section of new draft "draft-hryckelynck-writing-rfcs-04" Would you like to be an author ? I would be more than happy if you want to. ------------------------------------ ------------------------------------ *There is a lot I would change. For example, this is from the Abstract section: "Mail Accepted by Previous Sending defines a mechanism by which incoming unsollicited mails may be rejected or penalized by a MTA if their sender address domains has never been a destination for the outgoing mails treated by this MTA."* *The email I sent to you was unsolicited. Are you sure that the MTA for your mailbox has seen emails with my email address as a destination? If the answer is no, my email would be rejected or penalized by the MTA at your end. There is a higher probability that you would not be seeing my previous message. There is a word in my previous message which could get it tagged as containing offensive content.* The mail exchange we had is a really good example to discuss. As a matter of fact your first mail arrived in the junk mail directory :-) It is clear that Public Messagery can not implement an "offensive policy" as described in section 6.1. And that's why I wrote in section 7.2.2.1. (Which Strategy for which user / Public messagery / as a receiver) the following. " Public messagery, if they finally decide to implement such mechanism, WOULD probably choose a defensive strategy like : o put the "non accepted" mail in the junk mail directory o accept the domain for the user if he declares a mail from this domain is not an unsollicited mail." If we look now on what happen with IETF mailing list, my mail was submitted to approbation. It looks like my mail has to be "accepted" by someone. Also I could find in RFC3683, "maintainers of any IETF mailing list may, at their discretion, also remove posting rights to that IETF mailing list." But anyway I see what you mean, and I modified "draft-hryckelynck-writing-rfcs-04" as follows : - in section 3.3.2.2. (I put a reference to section 6) "* If the answer is no, none of our users has explicitly, by sending some mail to it, declared that he wants to communicate with this domain and then we MAY apply some policy to reject or penalize the mail (see section 6)." Even in the most offensive policy (reject and notify), this mechanism is fully compliant with the SMTP responsability notion (deliver or report). - in section 4.1. (I added penalize) : o Start to reject or penalize non previoulsy accepted domain. - in section 6.1 (I put a warning about offensive policy) : "Offensive Policy" here means, mail that match the policy will be directly rejected. WARNING : You SHOULD carefully check what are your users need before to apply an offensive policy as described below, because you MAY reject some sollicited mails. If you are not sure it is preferable to choose defensive policy (see section 6.2) ------------------------------------ ------------------------------------ *The draft is more about email practices than a protocol. There is a difference between the notion of responsibility for hand-off (relaying messages) and the notion from a non-technical perspective. There is a note in the paragraph before Section 1.2 of draft-klensin-rfc2821bis-06. I suggest that you take a look at it.* I fully agree with "the paragraph before Section 1.2 of draft-klensin-rfc2821bis-06". Drafts treating about spam issues has to be viewed as "best practices and extensions for use with email to minimize the problem." They should avoid "changes in the email environment that sacrifice functionally" particularly "the expectation that mail will be either delivered as expected or properly rejected" This can change "but the discussion about whether a different model is desirable should occur before we start adding text to this document." In my point of view, a part of that discussion should be how we could establish that the "delivery is mutually desired (whether expected or not) by both sender and recipient." Until those discussions produce a wide consensus they "should be in documents that build on RFC 2821 and 2821bis (and 2822 and 2822bis), rather than being part of them." So I will do an answer similar to the one I made about experimental status. At this stage, "draft-hryckelynck-writing-rfcs-xx" has to be viewed as a practice and then if the community gives sympathetic consideration to this practice we could then design parts of this practice as a protocol (like for example communication between MTA and Base) or as protocol extensions (specific header, error code, ...). In resume : 1- what about this idea ? 2- work 3- if idea is OK => what about a practice ? 4- work 5- if practice is OK => what about designing parts of this practice as a protocol ? Do I have to modify something in this sense in the draft headers to show this is a Practice and not a protocol ? Is "Intended status: Experimental" still OK ? ======================== Also, I received the following comment from Dave Crocker "the proposal does not seem to require any user choice". As a matter of fact at this stage I was only proposing to store information about domain to which users were sending mail. But If we want to store an explicit answer from the users (as a real challenge/response) we would need some new elements : - a 3 directories system (INBOX, NEW, JUNK) instead of the traditionnal 2 directries system (INBOX, JUNK). - store the domain names and values representing the user's declaration (accepted, rejected) instead of only the domain name. Please find below an explanation of how it could work (copy the following scheme in a txt file) : 1.6 +--+--+ +------------------------------------->|AC|RE| | +---------------+ | +---|@dom2.com|01|00|<---+ 2.2 | | +-|@dom1.com|00|00|<-+ | 1.2 | | | +---------------+ | | | | +-------+ +--------+ | | +-----+ | | +------+ | | | | | ####|#################### ####|###|###|###|#### # | # # | | | | # # | MUA ######### # # | | | | # # | # # # 2.3 # | | | | # 2.1 # | 1.5 # INBOX #<-----------+ | | +--------- # | +-----># # # # | | # # | | ######### # # | | # # ######## 1.4 # # | | # # #ACCEPT#<---######### # # | | # # ######## # # # 1.3 # | | # 1.1 # # NEW #<---------------+ +------------- # ######## 3.4# # # # # # #REJECT#<---######### # # # # ######## # # MTA # # | | 3.5 ######### # # # # | +-----># # # 3.3 # # 3.1 # | # JUNK #<---------------+ +------------- # | # # # # | | # # | ######### # # | | # # | # # | | # ####|#################### # | | # | # | | # | +-------+ # | | # 4.1 | | | 4.3 # | | +--------- | | DROP |<-----------+ | | | # | | | # | | | | # | +-------+ ####|###|###|###|#### | | | | | | +-----+ | | +------+ | | +-------+ +--------+ | | | | +---------------+ | | | | +-|@dom3.com|00|01|<-+ | 3.2 | +---|@dom4.com|01|10|<---+ 4.2 | +---------------+ | |AC|RE|<-+ | 3.6 +--+--+ | +-----------------------------------------------+ 1.1 : A mail arrives from @dom1.com on the MTA. 1.2 : The MTA checks in the base and sees nobody has previously accepted this domain ("00" in the column "AC"). 1.3 : The MTA adds a "new" header and send it to the MUA. A rule on the MUA identifies the header and put the mail in the "NEW" Directory. 1.4 : If the user wants do declare this mail is sollicited, he clicks on the "ACCEPT" button. 1.5 : Then the MUA puts the mail in the "INBOX" Directory 1.6 : and declares the domain as accepted in the base (+1 in the column "AC"). 2.1 : A mail arrives from @dom2.com on the MTA. 2.2 : The MTA checks in the base and sees somebody has previously accepted this domain ("01" in column "AC"). 2.3 : The MTA sends it to the MUA and the MUA put the mail in the "INBOX" Directory. 3.1 : A mail arrives from @dom3.com on the MTA. 3.2 : The MTA checks in the base and sees somebody has previously rejected this domain ("01" in column "RE"). 3.3 : The MTA adds a "junk" header and send it to the MUA. A rule on the MUA identifies the header and put the mail in the "JUNK" Directory. 3.4 : If nobody had accept or reject the mail from @dom3.com, the mail would have been sent whith a "new" header in the "NEW" box and then the user may have wanted do declare it as unsollicited by clicking on the "REJECT" button. 3.5 : the MUA would then have put the mail in the "JUNK" Directory 3.6 : and declares the domain as rejected in the base (+1 in the column "RE"). 4.1 : A mail arrives from @dom4.com on the MTA. 4.2 : The MTA checks in the base and can see somebody has previously accepted this domain ("01" in column "AC") but also that mails from this domain has been rejected 10 times ("10" in column "RE"). 4.3 : If 10 is more than the limit the administrator fixed the mail is directly dropped. ============ I'm looking forward for your comment. Thank you very much again for your time and your help. Regards, Hubert 2012/4/29 SM <sm@resistor.net> > > Hi Hubert, > > At 09:59 29-04-2012, hub ryck wrote: >> >> About April 1st, I confirm to you this is not a "funny RFC". >> I do not have a plan yet about how long this experiment should be run. >> If the community gives sympathetic consideration to this idea maybe one day I would intend another status. But at this time the only intended status is experimental. > > > Ok. > > >> Modified in new version "draft-hryckelynck-writing-rfcs-03" > > > You might wish to choose a different filename for the draft as the "writing-rfcs" does not say much about the subject of the draft. > > >> You are right. In fact I was thinking pornographic content should not be sent to a working environment. But then you could also say that some people are working in the pornographic business. So I will take another example. > > > The draft does not mention that it is applicable to a working environment only. As you mentioned above, it can be argued that there are work environments where such content may be used. > > >> "Mails with, for example, an attempted fraud content are easy to identify as mails we MUST intercept." > > > Some people may ask how to identify "fraud content". It's easy to say that fraud MUST be intercepted. If there is no way to identify fraud, it cannot be implemented. > > >> As this section is talking about the responsabilty notion described in RFC5321, >> I replaced in new version "draft-hryckelynck-writing-rfcs-03" the term "Philosophy" by "responsibility notion" in the entire section 3. > > > Ok, for now. > > >> In RFC 5321, section 3.6.2 on page 27 : >> "A server MAY attempt to verify the return > > > I missed that. > > >> I did not remember of this RFC. Thank you for the information. > > > There are a lot of RFCs. Some of them contain good ideas, some of them contain bad ideas. It is up to you to assess whether the contents of the RFC are appropriate or not. > > >> The only differences I could find between RFC 706 and my draft are : >> - a list of sources to refuse against a list of source to accept >> - a list of sources kept per host against a list of sources kept for any host. >> >> But as RFC 706 described these differences only as possibilities and as it mentions it is an open issue, we could consider my draft is an attempt to give an answer to the same problematic. I have then referenced RFC 706 directly in section 1 in new version "draft-hryckelynck-writing-rfcs-03" as follows : >> >> "With this in mind, it MAY be useful to find a mechanism for users to >> choose themselves who will be able to send them some mails as that >> was suggested in RFC 706 [RFC706]." > > > I suggest not using RFC 706 as a reference unless you are sure that you can make a case for why it is relevant. > > There were and there still are open issues. It may help to research why some of these open issues remain open after over 25 years and see whether the answer you provide was not proposed previously before being considered as not workable. > > >> "For this purpose you may need other mechanism that could be viewed as complementary like Sender ID [RFC4406], SPF [RFC4408] or DKIM [RFC6376]." > > > That doesn't really answer the question I asked. :-) > > >> As a newcomer I have a question. Do I need your authorization to reference your name as contributor in my draft ? > > > You do not need my authorization to provide an acknowledgement. If you were to add me as an author, for example, it is better if you seek authorization first. If you are unsure, it is easier to ask. > > >> Please tell me if there is anything else you would change. > > > As I mentioned previously, the draft needs more work. It would help if you could get reviews of the draft from other people involved in email. > > There is a lot I would change. For example, this is from the Abstract section: > > > "Mail Accepted by Previous Sending defines a mechanism by which > incoming unsollicited mails may be rejected or penalized by a MTA if > > their sender address domains has never been a destination for the > outgoing mails treated by this MTA." > > The email I sent to you was unsolicited. Are you sure that the MTA for your mailbox has seen emails with my email address as a destination? If the answer is no, my email would be rejected or penalized by the MTA at your end. There is a higher probability that you would not be seeing my previous message. There is a word in my previous message which could get it tagged as containing offensive content. > > The draft is more about email practices than a protocol. There is a difference between the notion of responsibility for hand-off (relaying messages) and the notion from a non-technical perspective. There is a note in the paragraph before Section 1.2 of draft-klensin-rfc2821bis-06. I suggest that you take a look at it. > > Regards, > -sm
- [apps-discuss] Comments on draft-hryckelynck-writ… SM
- Re: [apps-discuss] Comments on draft-hryckelynck-… hub ryck
- Re: [apps-discuss] Comments on draft-hryckelynck-… Dave Crocker
- Re: [apps-discuss] Comments on draft-hryckelynck-… SM
- Re: [apps-discuss] Comments on draft-hryckelynck-… hub ryck
- Re: [apps-discuss] Comments on draft-hryckelynck-… hub ryck
- Re: [apps-discuss] Comments on draft-hryckelynck-… Barry Leiba
- Re: [apps-discuss] Comments on draft-hryckelynck-… SM
- Re: [apps-discuss] Comments on draft-hryckelynck-… hub ryck