Re: [spfbis] Review of draft-ietf-spfbis-experiment-05

[Scott Kitterman <spf2@kitterman.com>]

On Monday, April 23, 2012 07:19:30 AM John Leslie wrote:
>    (I see by the threading that Scott replied to my email...)

Sorry about that.

> Scott Kitterman <spf2@kitterman.com> wrote:
> > Snip.
> > 
> > That's all true, but not, I think relevant to the question of record
> > reuse.
> 
>    Perhaps Scott might say _what_ he thinks not relevant. Mostly, I was
> quoting the IESG post closing the MARID WG.
> 
> > There was consensus in MARID that reuse of SPF records for Sender ID
> > PRA assessments was technically inappropriate.
> 
>    Um... No.
> 
>    There was a widespread belief among MARID participants that Sender ID
> use of already published SPF records was inappropriate, but it was never
> a WG consensus.
> 
> > I don't think it's correct to apply words about the MARID shutdown to
> > changes that were made later.
> 
>    Scott loses me here. I agree that the Sender ID RFCs were not exactly
> what was discussed before MARID closed -- neither was the SPF RFC...
> But I was only criticizing wording which purported to state an IESG
> _intent_.
> 
>    The IESG posting I quoted (in its entirety) is by definition the best
> source for IESG intent.
> 
>    (Barry and I know firsthand how IESG statements like this are
> generated.)
> 
>    We also have, of course, the IESG statement in the RFCs in question,
> which also represents an IESG consensus (though IMHO probably less work
> went into it than into closing a very-active WG):
> 
> --------------------------------cut here--------------------------------
> RFC 4405          SMTP Responsible Submitter Extension        April 2006
> ...
>    The following documents  (RFC 4405, RFC 4406, RFC 4407, and RFC 4408)
>    are published simultaneously as Experimental RFCs, although there is
>    no general technical consensus and efforts to reconcile the two
>    approaches have failed.  As such, these documents have not received
>    full IETF review and are published "AS-IS" to document the different
>    approaches as they were considered in the MARID working group.
> 
>    The IESG takes no position about which approach is to be preferred
>    and cautions the reader that there are serious open issues for each
>    approach and concerns about using them in tandem.  The IESG believes
>    that documenting the different approaches does less harm than not
>    documenting them.
> 
>    Note that the Sender ID experiment may use DNS records that may have
>    been created for the current SPF experiment or earlier versions in
>    this set of experiments.  Depending on the content of the record,
>    this may mean that Sender-ID heuristics would be applied incorrectly
>    to a message.  Depending on the actions associated by the recipient
>    with those heuristics, the message may not be delivered or may be
>    discarded on receipt.
> 
>    Participants relying on Sender ID experiment DNS records are warned
>    that they may lose valid messages in this set of circumstances.
>    Participants publishing SPF experiment DNS records should consider
>    the advice given in section 3.4 of RFC 4406 and may wish to publish
>    both v=spf1 and spf2.0 records to avoid the conflict.
> 
>    Participants in the Sender-ID experiment need to be aware that the
>    way Resent-* header fields are used will result in failure to receive
>    legitimate email when interacting with standards-compliant systems
>    (specifically automatic forwarders which comply with the standards by
>    not adding Resent-* headers, and systems which comply with RFC 822
>    but have not yet implemented RFC 2822 Resent-* semantics).  It would
>    be inappropriate to advance Sender-ID on the standards track without
>    resolving this interoperability problem.
> 
>    The community is invited to observe the success or failure of the two
>    approaches during the two years following publication, in order that
>    a community consensus can be reached in the future.
> --------------------------------cut here--------------------------------
> 
>    (Perhaps Scott sees some IESG "changes" in this; but I don't...)

It is likely that I am not sufficiently separating myself from the issue since I 
do have strong feelings on the issues of both Microsoft's and the IESG's roles 
in all this, so after this I'll drop it.  I will, however, make one more 
attempt.

Here is a quote from the IESG statement:

>    Note that the Sender ID experiment may use DNS records that may have
>    been created for the current SPF experiment or earlier versions in
>    this set of experiments.  

The IESG did not say something like "SPF and Sender-ID supported use of the 
same policy statement with different semantics".  That sounds much closer to 
"Sender-ID supported use of the same policy statement defined by SPF" to me.

If the group wants to stick closely to what the IESG at the time said, then, 
looping back to my original point about Barry's comment:

> OLD
> 
>    Due to the absence of consensus behind one or the other, and because
>    Sender-ID supported use of the same policy statement defined by SPF,
>    the IESG at the time was concerned that an implementation of
>    Sender-ID might erroneously apply that statement to a message and,
>    depending on selected recipient actions, could improperly interfere
>    with message delivery.
> 
> This seems to have a significant SPF bias.  May I suggest this?:
> 
> NEW
> 
>    Due to the absence of consensus behind one or the other and because
>    SPF and Sender-ID supported use of the same policy statement with
>    different semantics, the IESG at the time was concerned that
>    implementations of SPF or Sender-ID might erroneously apply a
>    statement that had been published with the semantics of the other,
>    and, depending on selected recipient actions, could improperly
>    interfere with message delivery.

Murray's text (labeled "OLD" here) very closely reflects what the IESG said and 
not any kind of bias, but whatever the group wants is fine by me.

Scott K