So why do you, and others, seem so upset with a proposal that *is*, in at least some regards, more secure and more useful (to large ISPs)?
Who's upset? I'm afraid I started this by asking how the damn thing works, and all that seems clear is that no one really knows. All that's left is to wait and see...
SPF doesn't meet their (Yahoo's) needs, for several reasons. It *isn't* useless, but it's nowhere near as useful (to Yahoo and other large ISPs) as the crypto solution. And it does diddly for the legal side of the matter.
The "legal side of the matter" was solved (better, IMHO) a long time ago by PGP and SMIME.
I was (and am) fed up with this extraordinarily ill-founded idea that Yahoo apparently 'should have' adopted SPF rather than craft a solution that fits their needs (perhaps best encapsulated in the observation that the phrase 'most natural' has little to do with any tangible problem). The _fact_ is that SPF _didn't_ fit Yahoo's needs, and rather than address those deficiencies in SPF, all I've seen from you (and others) are arm-waving explanations that SPF is, apparently, good enough.
And for all of that, I still don't see how domain keys is substantially better than SPF. In order for the whole thing to work right, Yahoo! must keep its private keys *private*. They have to reside only on Yahoo!'s servers, and can only be used by those servers to sign messages that pass through or originate there.
If I then receive a message claiming to be from Yahoo!, I could check SPF records (if there were any) and be able to tell that a message really came from Yahoo! servers. Or I could check the signature in the header. Signature checking takes more processing power, and proves the same thing: the message came from one of Yahoo!'s servers.
Don't get me wrong: it may well be good enough for you. But it obviously isn't quite good enough for Yahoo, hence their own proposal.
It's not obvious to me. I figured it may have been a bad case of NIH. That sort of thing is rampant. I hear they're working on a vaccine.
And one of the merits of their own proposal is that it will be useful *to Yahoo* even if no-one else adopts it...
I suppose that's true. It would prevent someone from claiming that they're being spammed from Yahoo!'s servers and forging a message, on their own, to use as evidence. That might be important if/when legislation allows someone to target Yahoo! for providing service to spammers or other criminals.
The RFC's and standards bodies are littered with standards that are fully-formed but simply don't address a real need, or don't address a need well enough. Just take a look at ANSI standard tape formats! SPF looks adequate for what it does, but for essentially the same administrative overhead, 'YASAF' does more, including the issue of providing legally useful proof of origination.
/me nods
------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
