With such a statement you're making an assumption that the technology
(i.e. SPF and SID) is only good for sender authentication and anti-spam.

This is a common mistake, especially in regards to SPF, and is largely
due to how the technology has been marketed by many. But it is all not
technically correct as SPF aims at stopping spoofing of RFC2821 MAILFROM
address and to prevent backcuster of delivery failure messages when
address is misused.

Also what is true about SPF may not be true about SID and as they operate
on different identities you're bound to see problems if incorrect record
is used.
Correct. And with two conflicting specifications it is difficult to
understand what the intent of the sender is. This is a problem for
both SID and SPF protocols and unless resolved it discourages
participation of users in these experiments and thus IETF would
be enable to get true results about usability of the technology.

[skip]
The IPR disclosure's problem was not actually IPR limited text itself,
the main problem was how it happened and that many (I'll go as far as
to say majority of individual participants at MARID) lost trust in
Microsoft especially after the disclosure of their overreaching patent
applications. It is really failure of Microsoft to be able to play
fair and work together with open-source and similar communities even when
both sides were willing to try for common good (and the technical people
from Microsoft participating at MARID were not at all responsible for it,
they were victims of the decisions made quite deep at their company).

Further work of the WG would have been very difficult with two sides not
being able to easily talk to each other (which would make it difficult to
come to consensus, although if given time to cool down it could have been
possible, but you can see this difficulty even now with SPF and SID drafts).
I don't think it was the reason. They knew about luck of backwards
compatibility even before and did not say anything. I'll go as far
as to say that somebody asked AOL to temporary withdraw support and
they were willing to play along.
The problem is that Meng never understood about real causes for failure
of MARID as I tried to describe above and did not understand concerns of
those who actually created SPF (he was editor of the original draft and
"managed" the group but not really author of the technology which came
together based on work of individual participants at spf-discuss), he
assumed himself to be appropriate representative of open-source-like
group that created SPF and that he could on their behalf continue to
talk and work further with MS to create common standard as MS wanted
from MARID, but in the way he did it, he just showed further where
MARID was failing and why it was appropriate for work to now be done
on two *separate* "experiments" as IETF asked.

The result is that there was a lot of outrage at the spf-discuss in
October/November 2004 when new individual submission SID draft came
out with reuse of v=spf1 records and consequently Meng was removed
from being person responsible for representing views of SPF and
replaced with group of people (SPF Council), plus primary editor
of the SPF documents was also replaced. This was not unexpected if
one could understand what happened at MARID.
Partially true (drafts did "flow" from MARID, but there were already
significant differences then the actual MARID drafts).

And as far as Mark Lentczner's spf draft it was already partly in the
way SPF community wanted as far as documenting real v=spf1, but he was
just not willing to take it further (probably also did not understand
what happened at MARID and wanted to continue that work largely as is,
plus he probably knew about agreements Meng was at the same time making
behind the scenes with MS and AOL).
It would be nice to know what happened behind the scenes. In fact it
what you see here is an example of why IETF standardization work should
be done in public instead of private.
See above, I think I explained more how this all really came about.
Yes. And it is all result of that unfortunate attempt to "continue
MARID" with spf1 taken by Meng instead of proceeding as me and several
others originally expected as far as having v=spf1 documented first and
then quickly move to SPF2 as separate document series based on MARID and
proceeding further to UnifiedSPF (i.e. one common format for policy
records with separate identities/scopes and how to interpret those
identity records). That second document series would have been real
successor to MARID but it did not happen.

What you have now is that neither of the documents approved by IESG is
really MARID documents and they really do need to be viewed as separate
individual submissions and should be judged on their own merits.

SPF draft is best attempt so far to document SPF protocol as it was
developed prior to MARID (with only few things borrowed from MARID)

draft-lyon-senderid and other SID documents should be viewed as separate
private submission of proprietary Microsoft CID implementation which
instead of original CID XML DNS record has now adapted SPF record syntax.
And as separate submission made to IETF, it should also be responsibility
of IESG that their proposal does not come into conflict with other LMAP
proposed experiments and does not break any other IETF standards.
Again, please understand that v=spf1 document does not represent MARID
work perse - its separate submission documenting pre-MARID protocol
slightly further developed and better documented (with that documenting
being in part result of working at MARID).
Yes, mistake on their part.
I believe at this point the appeal is only to IETF chair and not to IESG.

[An interesting situation BTW - because IESG as a whole made decision to
proceed with drafts publication where as now only one person from IESG
has opportunity to overrule them. For government-like structure this
appears to show where IETF Chair has power of veto like President has
over decisions of Congress, but President represents separate branch
of government, where as in countries with parliamentary democracies
the prime-minister typically can not overrule the parliament]
That would not be appropriate. The appeal is only against SID draft
(should have been against all 3 SID drafts actually - they can't
be published separately). SPF draft should continue to be viewed
as separate submission and decided on its own merit.

So should (as individual submission on its own merit) be viewed
whatever MS comes up with and certainly there should be no conflicts
that arise from its when they want to reuse somebody else's record
or fields - it should be done only in a way that effects are limited
to those who agree to participate in their experiment.
You can "call upon the authors" once again but it has been done
before and it has not resulted in reconciliation so far. The
conflict that became clear at the end of MARID is still there
and so is inappropriate use of somebody else's work that MS is
so famous for.
Even for informational purposes publishing conflicting specifications
is not appropriate. There really is not much of a choice here - if
IETF/IESG agrees there is a conflict, it must request one of the drafts
to be withdrawn and fixed (and if author does not do it, IESG would have
no choice but to block it from going further). Since its the SID draft
that depends on SPF draft, the SID would have to be the one to be
withdrawn (i.e. SID can't be published without SPF draft where as SPF
draft can be published without SID). In separate post I'll show why its
correct to withdraw SID draft for other reasons too.

As far as MARID work IESG wanted, the correct thing is start working on
SPF2/3 where we left off at MARID and create it as new series where all
scopes are clearly separated. But what IESG really wanted was to
experiment with these technologies (I doubt they cared as to particulars
of the record syntax) and in fact SPF1 does in as far as providing
way to see how RFC2821 MAIL FROM verification can be achieved. For MS
the same could be achieved if they instead worked on further on original
Caller-ID (or it could be achieved if they published real MARID in the
way documents went to MARID at last-call in August with only spf2.0 used).

[skip]
Most others as well and he did not understand that it was just make
situation that brought end of MARID a lot worse which is exactly
what happened.
I suspect we both know some of the things that were not made
public and so I'll just note that happen to disagree. I do not
believe Microsoft would have been able to do anything more - it
really was not something that was up to the people who we were
working with, they've done all they could on this matter and in
fact said as much.
I do not believe it can happen now either and I think trying to
negotiate would hit the same road-block as before and it would not
be anything people seen as standing behind SID at MS (and thus
involved in such negotiations) could do anything about.

But if reuse of spf1 records is really realy the only way for MS
and it wants to continue, then the only possibility for negotiation
I see is to get it part the way for both sides. This would involve:
1. MS agrees to change its draft and only use positive results of
SID verification on v=spf1 records (but not fail, softfail or
results if record is absent) and that for negative results real
SPF2.0 record would be needed.
2. SPF community agrees to soften v=spf1 draft and allow for use
of positive results with other identities (I brought this up before
and while some thought it was ok, others thought there are is too
much potential for confusion and incorrect results even then - no
way can we come to consensus unless its really part of negotiation
and MS gives something else to make it worth it).
3. Both sides agree to work further on the next version of protocol
that would have clear separation of scopes and core protocol
document that both sides could then reuse [this would be real
successor to MARID]. Both sides agree that once such new documents
are ready, they will begin to promote this new version.

---
William Leibzon
Elan Networks
***@elan.net

That was not the only objection to SenderID and the PRA.

The objections to SenderID and the PRA include:

* The re-purposing of the Resent-* headers. The SenderID drafts
require forwarded email to add Resent-* headers, while RFC2822
explicitly says that forwarders are not supposed to add these
headers.

Since forwarders do not currently add Resent-* headers, it would
have been just as easy to create a new header for this purpose.


* The PRA can not distinguish between these two cases:

1) An email is sent to a mailing list, which adds a Sender: header,
and then the mailing lists sends it on to an email forwarder.
According to the SenderID documents, the forwarder needs to add
the Resent-* headers.

The resulting email will end up with both Sender: and Resent-*
headers.

2) Someone "bounces" an email (in the pine/elm/gnus sense of
re-sending the email) to a mailing list. As per RFC2822, these
MUAs correctly add the Resent-* headers to the email. The
mailing list then adds a Sender: header.

The resulting email will end up with both Sender: and Resent-*
headers.

The PRA has to give incorrect results in at least one of these cases.


* The re-purposing of the SPFv1 record, as outlined in this appeal.


* The PRA has a higher error rate than SPF since it fails not only in
cases where there is forwarding going on, but also on many mailing
lists.


* SenderID and the PRA is no more effective at stopping phishing than
classic SPF.

Simply displaying the "PRA PASS" result actually makes the phishing
problem worse, unless you also display the domain name that caused
the PASS result. Otherwise, phishers will put a ***@paypal.com
on the From: header, and add a "Resent-Sender: ***@phisher.com", and
the result will be a PRA PASS which looks like it came from paypal.

If you display the domain that caused the PRA PASS, you can just as
easily display the domain from the Return-Path and use SPF instead.
At this point, there are no advantages to using the PRA.


Of course, there was also:

* The PRA requires a patent license that is incompatible with several
open source licenses, representing a significant number of MTA and
spam-filter software currently deployed. It also requires
commercial companies to inform Microsoft when they plan to create a
product that uses the PRA.


And finally, there are people who objected to both SPF and SenderID
because:

* Both SPF and SenderID break forwarding.

* Both SPF and SenderID require everyone to either send email through
designated MTAs, or to have special exceptions created often
requiring specialized software. This is known as the "working from
home user", "roaming user" or "traveling salesman" problem.

* Both SPF and SenderID break greating-card sites and the "send a news
article to a friend" sites.

The licensing issue was most certainly *NOT* the only cause for the
closing of the MARID WG.


All in all, the PRA has lots of disadvantages compared with SPF and no
advantages. (Other than support by MS, that is.)

Except for the cases of the re-purposing of SPFv1 records and the
re-purposing of the Resent-* headers, I think the market can deal with
the problems with the PRA.
You can't "negotiate" over technical problems. No one can create
"backward compatibility" by decree.
You have the timeline slightly messed up here. The work Mark
Lentczner did during MARID was not about SPFv1, it was about SenderID.

Mark created an SPF-classic draft *after* MARID was shut down. There
is some dispute about whether this was intended to be part of the call
for individual submissions made when MARID ended, but it was never
intended to be used as the basis for the SenderID drafts.

The fact that the lentczner-spf-00 I-D did not include support for the
HELO identity was one of many incompatibilities with earlier SPF
specifications and deployed SPF implementations. It was due to the
large number of incompatibilities that the lentczner-spf-00 draft never
reached a rough consensus level of support within the SPF community.
It should be noted that the SPF wizard that Microsoft created produced
completely invalid SPF records until shortly before the FTC Email Auth
Summit, which was long after MARID closed. The number of records with
these tell-tail errors is actually fairly small, indicating just how
little MS backing for publishing SPF records actually had.



-wayne