IETF Logo Mail Archive

Re: Appeal: Publication of draft-lyon-senderid-core-01 in conflict with referenced draft-schlitt-spf-classic-02

"william(at)elan.net" <william@elan.net> Wed, 14 December 2005 15:06 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EmYDS-0008F2-E3; Wed, 14 Dec 2005 10:06:50 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EmYDP-0008Dc-Dh for ietf@megatron.ietf.org; Wed, 14 Dec 2005 10:06:47 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA07256 for <ietf@ietf.org>; Wed, 14 Dec 2005 10:05:38 -0500 (EST)
Received: from sokol.elan.net ([216.151.192.200]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EmYEQ-0002Cp-HG for ietf@ietf.org; Wed, 14 Dec 2005 10:07:52 -0500
Received: from sokol.elan.net (sokol [127.0.0.1]) by sokol.elan.net (8.13.1/8.13.1) with ESMTP id jBEF6Nm5014022; Wed, 14 Dec 2005 07:06:23 -0800
Received: from localhost (william@localhost) by sokol.elan.net (8.13.1/8.13.1/Submit) with ESMTP id jBEF6Mss014019; Wed, 14 Dec 2005 07:06:23 -0800
X-Authentication-Warning: sokol.elan.net: william owned process doing -bs
Date: Wed, 14 Dec 2005 07:06:22 -0800
From: "william(at)elan.net" <william@elan.net>
To: Douglas Otis <dotis@mail-abuse.org>
In-Reply-To: <F7153948-7108-4DC0-B89E-F8B4A19CCCC1@mail-abuse.org>
Message-ID: <Pine.LNX.4.62.0512131325560.6721@sokol.elan.net>
References: <200512092141.NAA00720@gra.isi.edu> <x4fyp1n5xs.fsf@footbone.schlitt.net> <tslbqznbcem.fsf@cz.mit.edu> <x48xuqksa1.fsf@footbone.schlitt.net> <1134489989.5110.47.camel@bash.adsl-64-142-13-68> <439F0E4C.1493@xyzzy.claranet.de> <x4slswke7k.fsf@footbone.schlitt.net> <F7153948-7108-4DC0-B89E-F8B4A19CCCC1@mail-abuse.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 82c9bddb247d9ba4471160a9a865a5f3
Cc: ietf@ietf.org, wayne <wayne@schlitt.net>
Subject: Re: Appeal: Publication of draft-lyon-senderid-core-01 in conflict with referenced draft-schlitt-spf-classic-02
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

On Tue, 13 Dec 2005, Douglas Otis wrote:

> The reduction to 111 DNS lookups is not a resounding impact with 
> respect to this concern.

You can do setup that involves multiple CNAME and NS redirections
with DNS and it all could come to those 100 lookups. In practice
these setups do not exist though and neither have I seen any serious 
reports of SPF records that cause 100 lookups (your tests that setup
these records on purpose is not good indicator of how administrators 
enter spf records).

> SPF is not about validating the purported author of a message. SPF 
> deals with forged return-paths.  For this protection, SPF depends
> upon wide adoption by others before a benefit is obtained, hence the 
> reluctance to correct the lack of scope.  BATV, on the other hand, 
> provides immediate benefits when forged return-paths are used in DSNs 
> (the only place where a return-path is intended to be used).

Funny how you forget to mention that what is called BATV was invented
by people working on SPF - at first as advanced version of SRS, which
was thereafter released as SES [1] and anybody with technical knowledge
will quickly see that BATV basically implements subset of SES (although
I agree that is the more useful subset of that proposal).

[1] http://ses.codeshare.ca/files/Working_SES_Format_Definition_16.pdf

However it also happens to be that the same subset can be used quite
well with SPF (in a way BATV would never support) - in particular SES 
allows sender to run not only private validating service that checks
incoming email bounces, but also public validating server (using dns 
protocol for confirming verification) which based on given RFC2821 
mailfrom address can say if it is properly signed SES address. This 
allows for for bad bounces to be stopped closer to the source and
knowing new validation system is not required as it can be done with
SPF record (using exists mechanism to redirect to validating server).

The benefit of such combined SPF/SES setup is that if the email
comes directly from the ip block listed in spf record, then extra 
cryptographic validation (and contacting external service) is not
required (and these account for majority of real-life cases) where
as in other cases using SES service can provide results that would
make SPF work with forwarding and for roaming users.

So in practice SES/BATV cryptographic MAILFROM should not be looked
at an alternative to RMX/SPF method. In fact they both are stronger
when combined together, however unfortunately the different proponents 
fail to point this fact to the wider audience (plus BATV proponents 
obviously ignore the history of this concept both when advocating it
and in the written text).

-- 
William Leibzon
Elan Networks
william@elan.net

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email