Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:
> Julian Mehnle wrote:
> >> We could decree that it's invalid in chapter 4.8 for consistency with
> >> the <domain-spec> construct always requiring more than one label (in
> >> the absence of macros).
>
> [...]
>
> > You didn't understand what I said. We cannot add this to v=spf1,
> > EVER.
>
> Of course we can. In theory we can approve the damned erratum as is,
> I think at the moment it reflects Stuart's appproach. On their way
> from Proposed Standard to Full Standard specifications can do what you
> see when comparing RFC 1738, 2396, and 3986 (a rather extreme case)
>
> [...]
>
> > existing implementations would have to undergo significant changes
> > in order to remain compliant.
>
> That's the purpose of a "proposed standard" (let alone "experiment"):
> | Implementors should treat Proposed Standards as immature
> | specifications. It is desirable to implement them in order to gain
> | experience and to validate, test, and clarify the specification.
> | However, since the content of Proposed Standards may be changed if
> | problems are found or better solutions are identified, deploying
> | implementations of such standards into a disruption-sensitive
> | environment is not recommended.
>
> Yes, there are differences between RFC 2026 theory (1996) and common
> practice today, but they're nowhere near to your rigid assumptions.
> And almost completely beside the point for an experimental RFC.

Yeah, and we could approve an erratum specifying that v=spf1 be applicable
for PRA checks.

Of course it would break most v=spf1 records. But maybe we suddenly
stopped caring about that? After all, RFC 4408 is just of "experimental"
status, right?

> include_subdomains=yes

For the record: this concept is useless. In order to make this work, all
existing v=spf1 implementations would have to start doing the zone cut
search, and then 99.999% of all zone cut searches would turn out as
pointless (because practically no domain uses that proposed modifier).

I can see reconsidering the zone cut search for v=spf3, though.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGBvEHwL7PKlBZWjsRAtXnAKCiPhOievFedpkr8d80FsFhLxMrWQCdGHyL
PcAiWM7lzjAQ1nf2vNvx7pc=
=EaUY
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Julian Mehnle wrote:

> we could approve an erratum specifying that v=spf1 be applicable
> for PRA checks.

That's unlikely to get consensus, and one interpretation of the
IESG note would also make it redundant... :-(

> Of course it would break most v=spf1 records.

No, it breaks only those policies where PRA != MAIL FROM cases are
"legit" as defined by the publisher of the policy. That's nowhere
near to "most", quite the contrary.

How serious are we about killing SenderID ? I think it's possible,
using the "standards process" and the magic word "updates 4406" or
similar.

The longer I think about PRA the more I come to the conclusion that
it's only a crude and unnecessary emulation of v=spf1 with no real
benefits of its own. Putting these conclusions in an I-D is a very
attractive plan, it's also what Keith recommended months ago (2005).

> maybe we suddenly stopped caring about that? After all, RFC 4408
> is just of "experimental" status, right?

Nobody here stopped caring about it, and "PRA" is certainly at the
core of the issues why v=spf1 is experimental. Now after the weird
anti-spam crowd moved on and has DKIM as new toy, we could clean up
this mess: v=spf1 got it right, PRA got it wrong. Tons of reasons,
all simple, clear, compelling, and strictly technical.

It's the purpose of an experiment to... (guess).

Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:
> Julian Mehnle wrote:
> > we could approve an erratum specifying that v=spf1 be applicable for
> > PRA checks.
>
> That's unlikely to get consensus, and one interpretation of the IESG note
> would also make it redundant... :-(
>
> > Of course it would break most v=spf1 records.
>
> No, it breaks only those policies where PRA != MAIL FROM cases are
> "legit" as defined by the publisher of the policy. That's nowhere near
> to "most", quite the contrary.

No, actually it would break _all_ the v=spf1 records whose owners weren't
or aren't aware that there is a PRA interpretation for v=spf1. Most
records may be incidentally correct at any point in time, but as soon as
the domain owner changes their e-mail sending infrastructure or "From:"/
"Sender:" header usage patterns, their record will break.

Existing "v=spf1" records don't just carry the explicit information stored
in their contents, but also the implicit expectation that semantics will
remain unchanged.

> How serious are we about killing SenderID ? I think it's possible, using
> the "standards process" and the magic word "updates 4406" or similar.

Standards track RFCs don't "update" experimental ones, do they?

I think any attempts to get "v=spf1" to "Standard" status are a waste of
time. What is there to be gained?

I'll say it again: Let's spend our efforts on v=spf3 instead.

> The longer I think about PRA the more I come to the conclusion that it's
> only a crude and unnecessary emulation of v=spf1 with no real benefits of
> its own. Putting these conclusions in an I-D is a very attractive plan,
> it's also what Keith recommended months ago (2005).

Well, the damage is already done. What is there to be gained by turning
<http://www.openspf.org/SPF_vs_Sender_ID> into an I-D?

> > maybe we suddenly stopped caring about that? After all, RFC 4408 is
> > just of "experimental" status, right?
>
> Nobody here stopped caring about it, and "PRA" is certainly at the core
> of the issues why v=spf1 is experimental. Now after the weird anti-spam
> crowd moved on and has DKIM as new toy, we could clean up this mess:
> v=spf1 got it right, PRA got it wrong. Tons of reasons, all simple,
> clear, compelling, and strictly technical.

The same applies to not grafting as-of-yet-unspecified <target-name>
validation onto RFC 4408. Yes, not specifying it was a mistake (I think I
said that a long time ago). However, shit happens and we cannot change
the v=spf1 specification to such an extent now.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGBwmRwL7PKlBZWjsRArgpAJ0eKCPbla/T88tRed6QPmDjM9ibkgCfaDsf
7URcWJIWFj2SxFbT2OIpyVc=
=PoyA
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Julian Mehnle wrote:
> I think any attempts to get "v=spf1" to "Standard" status are a waste of
> time. What is there to be gained?
>
> I'll say it again: Let's spend our efforts on v=spf3 instead.

Let me clarify: A year ago, before "v=spf1" was published as an RFC, our
attempts to get onto standards track obviously made perfect sense, mostly
from a PR standpoint. But now that there is RFC 4408, who really cares
about "SPFv1 is now an IETF standard!" anymore? I mean, who besides _us_?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGBwv0wL7PKlBZWjsRAmC/AJ9fkxmjvsuT36Z1rxmlr1Q1ClFDPACeNEF2
Izga8uTGbj7FJ9TznOB2rto=
=C11m
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Julian Mehnle wrote:

>> No, it breaks only those policies where PRA != MAIL FROM cases are
>> "legit" as defined by the publisher of the policy. That's nowhere
>> near to "most", quite the contrary.

> No, actually it would break _all_ the v=spf1 records whose owners
> weren't or aren't aware that there is a PRA interpretation for
> v=spf1.

I think we're in violent agreement. It would break for all policies
if a legit user happens to post on a say Sympa mailing-list (i.e. any
list not supporting the Resent / Sender magic required by SenderID),
and where the domain owner agrees that this is permitted.

Otherwise the domain owner is either in need of medical help, or
should arrange op=pra and/or copy v=spf1 to spf2.0/pra a.s.a.p.

> Standards track RFCs don't "update" experimental ones, do they?

Not sure, obsoletes should be okay. Updates would be rare if it
results in a normative "downref" (tons of rules, with loopholes
for the loopholes like a "variance" procedure, and of course it's
also possible to fix the damned rules.)

My idea to get rid of PRA by explaining why it's mostly pointless
in an I-D is independent of 4408bis. It could be a IANA registry
of SPF version tags, seeded with the five existing tags.

> I think any attempts to get "v=spf1" to "Standard" status are a
> waste of time. What is there to be gained?

A proper standard, what I always wanted since day one when I saw
this messy list with its moving target v=spf1, one day adding odd
mechanisms, another day unifying itself with Caller-ID, wild and
wonderful scopes, modifiers, and more cruft.

What survived from all these discussions ? Tiny minorities of
users consider op=auth and op=pra as good idea. And tolerate
op=helo and op=nohelo for educational purposes, documenting two
"roads not followed" proving that nobody needs a helo-scope.

Our understanding of modifiers is certainly better than in 2004.
We'd know how to do say op=dkim if there ever is an SSP for DKIM.

Our understanding of the IETF standards process is also better.
And if you think that SPF is _necessary_ to save SMTP from the
forces of evil, then that's no "experiment".

> What is there to be gained by turning
> <http://www.openspf.org/SPF_vs_Sender_ID> into an I-D?

Ordinary admins will never find it, they've no clue what the
differences between PRA and v=spf1 really are. Gullible folks
might find the Wikipedia articles and believe it, and that's it.

Publishing I-Ds offering new insights (the appeal didn't discuss
the relationship of version tags) is another way to "promote SPF".

The appeals were for obvious reasons confrontational. The I-D
would be the next obvious step, assimilation: "PRA was a nice
idea unfortunately unrelated to reality, let's talk about SMTP."

<target-name>
> Yes, not specifying it was a mistake (I think I said that a long
> time ago). However, shit happens and we cannot change the v=spf1
> specification to such an extent now.

That's nonsense. Fixing bugs and mistakes is always allowed, one
popular way to fix bugs is to document them as "features". While
it's almost hopelessly old, if you have more time again take a
look into RFC 2026. Or start with the TAO of IETF (RFC 4677), it
is more up to date, Paul (and Brian) did a very nice job with it,
it's where I started when Bruce started to torture USEFOR (2004).

Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Mon, 26 Mar 2007, Frank Ellermann wrote:

>> Standards track RFCs don't "update" experimental ones, do they?

Frank is correct. The STD can obsolute experimental RFC but can
not update it as update would require original to be on highier
or same level of standards track (experimental is not but for
most purposes it can be considered level 0 with proposed being 1,
draft 2 and full standard 3).

> Not sure, obsoletes should be okay. Updates would be rare if it
> results in a normative "downref" (tons of rules, with loopholes
> for the loopholes like a "variance" procedure, and of course it's
> also possible to fix the damned rules.)
>
> My idea to get rid of PRA by explaining why it's mostly pointless
> in an I-D is independent of 4408bis. It could be a IANA registry
> of SPF version tags, seeded with the five existing tags.

We'll not be able to do it. But if 4408bis is standards track and
SID is still experimental and can not move to standards then for
all purposes its dead and some time way way later it can be made
historic. However it'll be very tough to move SPF to standards
track within IETF (not for technical reasons but political)

>> I think any attempts to get "v=spf1" to "Standard" status are a
>> waste of time. What is there to be gained?
>
> A proper standard, what I always wanted since day one when I saw
> this messy list with its moving target v=spf1, one day adding odd
> mechanisms, another day unifying itself with Caller-ID, wild and
> wonderful scopes, modifiers, and more cruft.

SPF1 was not put together in consistant manner with proper analysis
and architectural design. Result of certain decisions to do it as
far as possible and accomodate as many proposed uses as possible.

> What survived from all these discussions ? Tiny minorities of
> users consider op=auth and op=pra as good idea. And tolerate
> op=helo and op=nohelo for educational purposes, documenting two
> "roads not followed" proving that nobody needs a helo-scope.
>
> Our understanding of modifiers is certainly better than in 2004.

I dont agree. We have not used modifiers in any serious way.

> We'd know how to do say op=dkim if there ever is an SSP for DKIM.

You mean if there is not an SSP (or if there is one that is not very
useful). because then it makes lots of senses to use SPF record
modifiers for purposes it failed to do.

> Our understanding of the IETF standards process is also better.
> And if you think that SPF is _necessary_ to save SMTP from the
> forces of evil, then that's no "experiment".

SPF maybe necessary to save SMTP. I'm back to 2002 when I was
thinking if its worth saving or if redesigning better email
protocol is right thing to do. And there is also such a thing
as when you have too many patches on something, its really no
longer original but something new (i.e. ncsa httpd -> apache).

>> What is there to be gained by turning
>> <http://www.openspf.org/SPF_vs_Sender_ID> into an I-D?

You mean informational one? Nothing good.

> Ordinary admins will never find it, they've no clue what the
> differences between PRA and v=spf1 really are. Gullible folks
> might find the Wikipedia articles and believe it, and that's it.

Aren't you the one writing in wikipedia about spf and sid?

> Publishing I-Ds offering new insights (the appeal didn't discuss
> the relationship of version tags) is another way to "promote SPF".
>
> The appeals were for obvious reasons confrontational. The I-D
> would be the next obvious step, assimilation: "PRA was a nice
> idea unfortunately unrelated to reality, let's talk about SMTP."

If you can write this id, but all means, but it'll not fly through
IETF to become an RFC even informational one (they'll find a reason
even if everything else is ok).

> <target-name>
>> Yes, not specifying it was a mistake (I think I said that a long
>> time ago). However, shit happens and we cannot change the v=spf1
>> specification to such an extent now.
>
> That's nonsense. Fixing bugs and mistakes is always allowed, one
> popular way to fix bugs is to document them as "features".

Its a lot harder to fix an error between proposed and draft or between
draft and standard - then you have to really convince everyone there was
original intent of the document and this is just an error in how it is
written and explained. But for experimental -> proposed standard fixing
an error is a lot easier, you just say we learned it was an error during
the experiment and now ready to publish real documents with this and other
errors taken care of.

--
William Leibzon
Elan Networks
william@elan.net

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735