There are two types of Information and Experimental documents; those
which are sponsored by an AD and those which come from the RFC Editor
to be checked for conflict with IETF work. In the latter case, you may
well see blank spaces, all no-objections, or similar. In the former case,
it might happen that something does not have a Yes because of something
like a Last Call comment to be resolved simultaneously with IESG review,
but it is unusual and considered as a "yes-->placeholder" collapsed.

The IESG also asks different questions for the two tracks, because there
is a set of IESG Notes automatically added to RFC Editor-sponsored documents.
The review instructions for RFC Editor-sponsored Informational and
It was the June 9th telechat; the minutes get approved at the following
telechat (a week from today), and they'll be public then. The response
to Wayne contains all the data, though: the IESG considered it, but did
not find support for it.
Just to be clear, David Kessens proposed the note; there has been
some wordsmithing
by others, but he was the person who brought it forward. I believe David has
some basic concerns about the usability of either approach as well as concerns
about using them in tandem. I don't want to speak for David, but I think
these were not limited to the question of which identity is at issue.
See above for the evaluation instructions.

regards,
Ted Hardie

I'm not sure what having "your own IP address" has to do with either
authentication or authorization. Are you working under the misapprehension
that you need a separate IP address per domain name in order to turn on
SMTP AUTH and enforce proper use of identities?

A casual reader of the above might make the mistake of assuming that SPF
requires a static IP in order to work. It is strongly implied. If you
actually believe this, I can take the time to explain how SMTP AUTH and SPF
Pass results are related.

If you don't understand what I meant when I said "the site uses SMTP AUTH
and doesn't allow spoofing of other domains" then please ask for
clarification. If you DO understand what I meant, please stop spreading
misleading information.
The SPF spec describes "pass" as "the action is authorized". It doesn't
describe authentication or compliance, as far as I know. I believe SPF is
a great tool for what it does, but it doesn't do everything. I think this
is OK... any tool claiming to do all of the above should be viewed with
skepticism... To me it seems a lot more likely that the problem space
will be covered by multiple tools.
I'm sorry, I think my initial explanation was not detailed enough. I was
assuming that since you spend a fair amount of time pointing out SPF's
faults, that you were familiar enough with the mechanisms in question to
understand my statement.

Here is some background necessary in order to understand the significance
of "pass" vs. "unknown" in the context of reputation.

"+" indicates that the mechanism results in a "pass". "+" is also the
default, so if you have a mechanism with no prefix, the "+" is understood.
+include:isp.net and include:isp.net are the same. If the mechanism
matches the situation, the result is "Pass". The receiver can proceed with
confidence in the identity (mfrom or helo). The action is considered
authorized, and the domain owner should be held accountable for the action
of the MTA.

"?" indicates that the mechanism results in a "neutral" result. The action
is neither explicitly authorized nor explicitly denied. The receiver
should proceed with whatever the default action is for domains not
protected by SPF.
Right, again I apologize for not explaining what I meant well enough. I
believe your first paragraph above is consistent with the "Pass" result and
the "+" modifier (or no modifier), and your second paragraph applies well
to the "neutral" result and the "?" modifier.

The difference between these two modes is as you say. "Pass" is the only
result I would really describe as "success". It implies that the domain
owner wants the privileges conferred by a Pass, and is willing to defend
the messages coming from that MTA with his reputation. They are one and
the same as far as SPF is concerned... it is meaningless to authorize a
message if you're not willing to stake your reputation.
I don't really draw a distinction between equipment I own or control, and
stuff done on my behalf by a vendor. The important distinction is not who
owns the equipment, but whether I trust the vendor/partner/employee/robot
in charge of doing it, and whether I trust them enough to stake my own
reputation.

A lot of ISPs are now requiring the use of SMTP AUTH within their networks,
but my experience has been that they don't block messages claiming to be
from various domains. Hopefully if enough users ask for this, they will
start matching up domains that I own and control with my name and password
for SMTP AUTH, and disallowing others from using domains they don't own. I
don't think it's a tough problem to solve, but currently they have no real
incentive to solve it. I think wider use of ip-based authorization will
put more pressure on them.

In the meantime, some domain owners may choose to give them a PASS anyway,
in effect staking their reputation on a service that may be mostly
spam-free and forgery-free right now, but may develop such problems in the
future, and they will deal with that if and when it happens.
You stated a couple of times (though I snipped them for space conservation)
that you see CSV and DKIM as a valid path to authorization, authentication,
and reputation. Why do you feel that CSV+DKIM fulfills this goal, but
SPF-HELO+DKIM would not?

I readily admit that I don't understand CSV well enough to spend a lot of
time bashing it on various lists. Therefore, please don't assume I'm
bashing on CSV here. If the point of CSV is to provide confidence in the
HELO name, how is that functionally different from SPF used to check HELO?
- A domain owner publishes a record in DNS
- A receiver has a name and wishes to check it against the IP that
offered the name
- The receiver gets the DNS record and checks to see if the IP is
authorized
- If the IP is authorized, the receiver can proceed with confidence in
the HELO identity
It's my understanding that the above requirements can apply to either CSV
or SPF-HELO. I can guess that you probably don't agree with this, but I
still cannot fathom the reasons. Since SPF has been a frequent target for
folks to take pot-shots at such as "authorization without authentication is
not good enough", it's rather important to me to try and understand the
essence of this issue.


Thanks for taking the time to write.
gregc


--
Greg Connor <***@nekodojo.org>

I'm curious what the basis for this statement is. Do you have statistics?

As a domain owner that relies entirely on shared MTAs, many of which are
vulnerable to cross user forgery, almost all mail that comes from my domain
(including this message) gets a Neutral ("?") result. It's been this way
for more than a year. So far, I've had one mail rejection as a result. I
contacted that person via another channel and they thanked me for pointing
out that they had set up their system wrong. Based on my experience, I
would say that no one is rejecting mail due to a Neutral result.

In addition to my personal experience, I also help handle submissions to the
SPF web site. In the approximately 1,000 submissions we've had in the last
6 months there haven't been ANY that were caused by a Neutral rejection. If
this were a common phenomenon, I believe that people would be complaining.

WRT to softfail ("~"), it's a little different, there we are seeing
submissions that relate to rejections on a softfail result. The numbers are
small (I find 15 out of 1,073), but it does happen. This is also entirely
unrelated to the question of should a domain owner that is using a shared
server that has the potential to be subject to cross-user forgery give a
Neutral result. I thought that was the topic we were on.

I've done this for a long time and it works for me.

Scott Kitterman