IETF Logo Mail Archive

Re: Appeal: Publication of draft-lyon-senderid-core-01 in conflict with referenced draft-schlitt-spf-classic-02

"william(at)elan.net" <william@elan.net> Wed, 14 December 2005 17:42 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EmaeS-0000s0-0x; Wed, 14 Dec 2005 12:42:52 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EmaeQ-0000qV-7e for ietf@megatron.ietf.org; Wed, 14 Dec 2005 12:42:50 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA00283 for <ietf@ietf.org>; Wed, 14 Dec 2005 12:41:43 -0500 (EST)
Received: from sokol.elan.net ([216.151.192.200]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EmafW-00012B-Vc for ietf@ietf.org; Wed, 14 Dec 2005 12:43:59 -0500
Received: from sokol.elan.net (sokol [127.0.0.1]) by sokol.elan.net (8.13.1/8.13.1) with ESMTP id jBEHgdYj016862; Wed, 14 Dec 2005 09:42:39 -0800
Received: from localhost (william@localhost) by sokol.elan.net (8.13.1/8.13.1/Submit) with ESMTP id jBEHgcgC016859; Wed, 14 Dec 2005 09:42:39 -0800
X-Authentication-Warning: sokol.elan.net: william owned process doing -bs
Date: Wed, 14 Dec 2005 09:42:38 -0800
From: "william(at)elan.net" <william@elan.net>
To: Douglas Otis <dotis@mail-abuse.org>
In-Reply-To: <1134578214.5110.83.camel@bash.adsl-64-142-13-68>
Message-ID: <Pine.LNX.4.62.0512140838560.6721@sokol.elan.net>
References: <200512092141.NAA00720@gra.isi.edu> <x4fyp1n5xs.fsf@footbone.schlitt.net> <tslbqznbcem.fsf@cz.mit.edu> <x48xuqksa1.fsf@footbone.schlitt.net> <1134489989.5110.47.camel@bash.adsl-64-142-13-68> <439F0E4C.1493@xyzzy.claranet.de> <x4slswke7k.fsf@footbone.schlitt.net> <F7153948-7108-4DC0-B89E-F8B4A19CCCC1@mail-abuse.org> <Pine.LNX.4.62.0512131325560.6721@sokol.elan.net> <1134578214.5110.83.camel@bash.adsl-64-142-13-68>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 00e94c813bef7832af255170dca19e36
Cc: ietf@ietf.org, wayne <wayne@schlitt.net>
Subject: Re: Appeal: Publication of draft-lyon-senderid-core-01 in conflict with referenced draft-schlitt-spf-classic-02
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

On Wed, 14 Dec 2005, Douglas Otis wrote:

> Actually there was case that came close to this limit by an access
> provider, but was rewritten into CIDR notation to reduce the number of
> records, increasing their chances for error.  At the email
> authentication summit in NY, there was a large company that complained
> they could still not fit into this large limit.  DNS is well designed to
> resolve host names and sub-sets of hosts for a domain.  SPF wants this
> to always be a complete set, even for multiple domains.

Nobody said it wants to be complete set and that all possible ip
addresses must be entered in one spf record of 512 bytes as ip ranges
(although clearly this can be achieved with majority of domains). And
there are in fact people at SPF that believe that it should be more
properly layered and it is desirable to list mx and host names and then 
those are resolved to ip address by A lookup (i.e. like CSV) even though 
that causes 2 lookups instead of just one.

>> Funny how you forget to mention that what is called BATV was invented
>> by people working on SPF - at first as advanced version of SRS, which
>> was thereafter released as SES [1] and anybody with technical knowledge
>> will quickly see that BATV basically implements subset of SES (although
>> I agree that is the more useful subset of that proposal).
>
> The idea of tagging the Return-path was not invented by the SPF group.
> Something like VERP could be an example.  It would be incorrect to
> describe the simplicity of BATV as having a genesis from the SPF group.
> RFC2304 could be called the genesis for the idea.  : )

I did not say "tagged" return path - certainly VERP is predecessor to
SRS in that idea. I did say encrypted address, i.e. using private (or 
public) encryption scheme to create custom "tag" for use in return-path - 
this is what SES is about and what BATV afterward used as well.

> BATV would be the correct choice in my view.  SES attempts the same
> everything and the kitchen-sink complexity that could be seen as the
> hallmark of SPF, which also makes SPF with its problems an integral
> component.

The difference is purely semantic in different formats for return-path
tag. Thereafter you have a choice of which schemes to use which BATV
does not describe in the draft at all and SES describes in quite a bit
of detail but in practice if you don't want to use particular scheme,
you dont have to (as far as I know most people who use SES are doing 
similar with HMAC private scheme as what one person using BATV does).

And BTW as I mentioned similar also applies for its use, SES can be
used independent of SPF implemented on the sender site only processing
incoming bounces, 100% same as BATV. But it can also [optionally] be
implemented as external service [again optionally] integrated with SPF. 
These are all extra functionality one does not have to use if he/she 
does not want to.

What is clear to me is that SES people did not publish their spec right 
and should have separated it into several documents - one describing 
MAILFROM tag semantics [doc 100% equivalent to BATV] and then couple
documents describing signature schemes and then document describing 
public dns validation service and another one for special alternative
udp validation. I told them as much and as you know at some point tried 
to advocate that BATV and SES work together because I thought BATV has
done a good job on writing semantics draft already (which could be made
compatible with everything else with just few changes), where as SES
have done fairly good job describing other details for cryptographic 
signature generation, etc. Unfortunately neither group had any serious
interest in working together.

And as far as my opinion using BATV/SES together with SPF makes more
sense - both in reducing computation cryptographic computation when
it does not have to be used and also because by itself BATV/SES are
easily suspectable to a replay attack.

-- 
William Leibzon
Elan Networks
william@elan.net

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email