Re: [apps-discuss] Updating the status of SPF

[Scott Kitterman <scott@kitterman.com>]

On Thursday, August 11, 2011 03:10:40 PM Frank Ellermann wrote:
> On 11 August 2011 19:59, Murray S. Kucherawy wrote:
> > WFM so far.
> 
> Same here after figuring out that this means "works for me".  There used to
> be a kind of consensus in the OpenSPF community, that any future version
> (neither v=spf1 nor spf2.0/anything) shall use only DNS SPF RRs (not TXT),
> and the WG should be free to say so in 4408bis if desired.

I disagree.  Type SPF has almost zero deployment, so using only Type SPF is 
not consistent with preserving the installed base.

> The WG should be also free to say that spf2.0/anything for "mfrom" is now
> considered as obsolescete for the purposes of v=spf1, with more details
> to be determined by the WG as desired.  I'd like to have it clear that
> 4408bis does not require or care about any spf2.0/mfrom records as noted
> in RFC 4406 section 4.4 clause 3, and that 4408bis shall be interpreted
> as specified in 4408bis, notably not as in RFC 4406 section 4.4 clause 4.
> 
> This issue is already covered in the RFC 4408 security considerations, and
> in its IESG note at the begin, therefore 440bis should have this as clear
> as possible.  An attempt to combine this proposal with Barry's concerns:
> 
> "The WG shall not try to update other RFCs, notably 4405, 4406, 4407, or
>  5321/5322, but may address the spf2.0/mfrom or hypothetical spf2.0/helo
>  scopes wrt 4408bis security considerations."

I don't think the WG should do anything in 4408bis beyond updating 4408.  I 
don't think there's a need for any drafts relative to 4405/6/7 other than the 
one that declares them historic.

We can debate the DNS type issue later on the appropriate list once we have a 
solid charter.

If you feel the need, I think "The WG shall not try to update other RFCs." is 
sufficient.

Scott K