[81389] in North American Network Operators' Group
Re: Micorsoft's Sender ID Authentication......?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Jun 8 11:30:58 2005
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Daniel Golding <dgolding@burtongroup.com>
Cc: John Levine <johnl@iecc.com>, nanog@nanog.org
In-Reply-To: Your message of "Wed, 08 Jun 2005 10:18:55 EDT."
<BECC768F.C3FD%dgolding@burtongroup.com>
Date: Wed, 08 Jun 2005 11:30:21 -0400
Errors-To: owner-nanog@merit.edu
In message <BECC768F.C3FD%dgolding@burtongroup.com>, Daniel Golding writes:
>
>
>Reputation is a missing element in all sender authentications schemes and
>will (likely) be solved separately.
>
>No approach is perfect, but building closer to a solution is preferred over
>sitting on our hands and debating, which (historically) seems to be the
>IETF's approach.
I'm not a fan of authentication as an anti-spam technique (see my
Inside RISKS column for details). That said, if you're going to use
the concept there are good and bad ways to do it. SPF (and hence
Microsoft's scheme) are really lousy ways to do it, for the reasons
John gave. Beyond that, a lot of people at the IETF had the
impression, rightly or wrongly, that Microsoft was trying to use its
patents as another weapon to use against open source software.
The IETF isn't nearly as nimble as it should be, but rushing to adopt a
bad solution is not a good idea.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
