IETF Logo Mail Archive

Re: Appeal: Publication of draft-lyon-senderid-core-01 in conflict with referenced draft-schlitt-spf-classic-02

Frank Ellermann <nobody@xyzzy.claranet.de> Fri, 09 December 2005 17:54 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EkmSN-0000ui-6K; Fri, 09 Dec 2005 12:54:55 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EkmSH-0000tp-4C for ietf@megatron.ietf.org; Fri, 09 Dec 2005 12:54:53 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA07659 for <ietf@ietf.org>; Fri, 9 Dec 2005 12:53:40 -0500 (EST)
Received: from main.gmane.org ([80.91.229.2] helo=ciao.gmane.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EkmSC-0004el-IS for ietf@ietf.org; Fri, 09 Dec 2005 12:54:49 -0500
Received: from root by ciao.gmane.org with local (Exim 4.43) id 1EkmOq-0005Rg-Jg for ietf@ietf.org; Fri, 09 Dec 2005 18:51:16 +0100
Received: from 1cust60.tnt7.hbg2.deu.da.uu.net ([149.225.100.60]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf@ietf.org>; Fri, 09 Dec 2005 18:51:16 +0100
Received: from nobody by 1cust60.tnt7.hbg2.deu.da.uu.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf@ietf.org>; Fri, 09 Dec 2005 18:51:16 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: ietf@ietf.org
From: Frank Ellermann <nobody@xyzzy.claranet.de>
Date: Fri, 09 Dec 2005 18:37:10 +0100
Organization: <URL:http://purl.net/xyzzy>
Lines: 65
Message-ID: <4399C0C6.48EB@xyzzy.claranet.de>
References: <200512081104.09113.julian@mehnle.net> <4398AE3D.512D@xyzzy.claranet.de> <Pine.LNX.4.64.0512090838400.13902@netcore.fi>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Complaints-To: usenet@sea.gmane.org
X-Gmane-NNTP-Posting-Host: 1cust60.tnt7.hbg2.deu.da.uu.net
X-Mailer: Mozilla 3.0 (OS/2; U)
X-Spam-Score: 0.2 (/)
X-Scan-Signature: b4a0a5f5992e2a4954405484e7717d8c
Content-Transfer-Encoding: 7bit
Cc: spf-discuss@v2.listbox.com
Subject: Re: Appeal: Publication of draft-lyon-senderid-core-01 in conflict with referenced draft-schlitt-spf-classic-02
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

Pekka Savola wrote:
 
> 1) make no changes to the spec.   The spec (assumably)
>    documents the existing behaviour, even if it is
>    conflicting.

SPF (both v=spf1 and spf2.0, there is no "v=pf2.0") allows
to log DNS queries.  That's documented in the v=spf1 draft:
With SPF's "exists:"-mechanism it's possible to log when
somebody tries to evaluate the policy.

Result of this experiment (last state that I've heard of):
Absolutely nobody evaluates "spf2.0/pra".  This "opt-out"
strategy from the PRA-experiment does not work.

Adding an "IESG note" to the v=spf1 spec. how participants
of this "experiment" could "opt-out" from the PRA-experiment
by adding dummy PRA-records, where this in practice doesn't
work, is pointless.

For SPF-"experiment" read about 1.000.000 published policies
with about 10 independent interoperable implementations, and
for PRA-experiment read "nobody really uses or wants PRA".

No joke, I offered a simple PRA-"opt-in" modifier for v=spf1,
and the precise number of interested v=spf1 users was _zero_ :
<http://purl.net/xyzzy/home/test/draft-spf-6-3-options-09.txt>

So in practice nobody wants PRA, and almost nobody bothers to
implement spf2.0/pra, "opt-out" by dummy PRA records is doomed.

But there's still the danger that somebody implements a post-
SMTP PRA-check abusing v=spf1 records.  An ignorant somebody
thinking that a PRA-PASS or a PRA-FAIL indicated by a MUA is
cute even if it's wrong.

At this point he has already violated several SHOULD NOT and
won't care about details like "this PRA-result is a bad PRG".

But unfortunately it will _apparently_ work as expected for
most mails.  Users will believe that a PRA-FAIL is spam, and
a PRA-PASS is no phish.   Getting it wrong in those cases
where the PRA is not the same as the Return-Path.

> the IESG decided that accurate documentation of the running
> code is more important than documenting something that does
> not exist, and maybe never will exist.

If there is running spf2.0/pra code it apparently fails to
honour the dummy "opt-out" records.  And there's of course no
chance to add those dummy spf2.0 records to about 1.000.000
published v=spf1 policies in this decade:

SPF (both v=spf1 and spf2.0) is designed that you can forget
a published policy as soon as it's correct, and as long as
you don't change your (sending) mail setup.  

Publishers of v=spf1 policies in 2004/05 have no reason to
find an obscure "IESG note" asking them to "opt out" from the
unrelated PRA-experiment of 2005/06.

Maybe it won't work even if they'd find and try it, see above.

                         Bye, Frank



_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email