Re: [mail-vet-discuss] -19 of draft-kucherawy-sender-auth-header

Douglas Otis wrote:

On Jan 9, 2009, at 12:48 PM, Lisa Dusseault wrote:
Hi Doug,
Does anybody support your review of sender-auth-header, to the pointof believing that the document should not be published? So far youare still very much in the rough part of rough consensus.
thanks,
Lisa
On Wed, Jan 7, 2009 at 1:14 PM, Douglas Otis <dotis(_at_)mail-abuse(_dot_)org>wrote:
Murray,
There has been progress, but a few extremely critical securityrelated areas still need to be addressed.
I have posted a draft that reviews the sender-auth-header draft.

The text and html versions are available at:
http://www.ietf.org/internet-drafts/draft-otis-auth-header-sec-issues-00.txthttp://www.sonic.net/~dougotis/id/draft-otis-auth-header-sec-issues-00.html
Funny that you describe your concern as involving rough consensus.The draft itself can't decide when it should stop pretending aboutwhat defines authentication, and remains remains contradictory on thiscritical subject.
It states that only _authenticated_ information should be includedwithin the "Authentication-Results" header for either Sender-ID orSPF. At the same time, the draft defines Sender-ID and SPF as beingan authorization method and _not_ the authentication of the domain.In fact, there is no way to know whether Sender-ID results were basedupon SPF version 1 records in its current form, or whether a domaineven intended positive results to affirm its identities, or whetherjust negative results of a Mail From were intended to mitigateback-scatter. This leaves the issue of authentication itself clearlyin the rough.
In addition, there is also the matter of encouraging the use ofdangerous local-part macros when one wishes to obtain email-addressannotations. At least the Sender-ID specification states local-partsare _not_ verified. What is providing the authorization remainsunknown for SPF, even though the local-part is ignored in Sender-ID.In addition, there is no consensus between either Sender-ID or SPF asto which elements of a message are to be used to access version 1records. Clearly, scoping issues are also in the rough.Nevertheless, this header is willing to label results of this mess"Authentication-Results".

I suggest that the Technological sense of Authentication is irrelevanthere. The real issue is what the Court's and those stuck using theseprotocols are forced to do to prove their actions. As such its theCourt's Authentication Schema's that should be relied on here ratherthan what we as technologists would prefer.

The remedy being sought is to replace the local-part of the"authorizing" email-address with a converted string representing theIP address of the SMTP client that is being authorized. This allowsthe authenticated origin of a message to be vetted, in addition towhat _might_ be an authorizing domain. A fair compromise.

Except that there is no way with the proposed model to prove that IPaddress is accurate and not being spoofed.

While there are influential proponents of this draft, this draft andthe experimental SPF and Sender-ID RFCs remain dangerous as written.With a few minor modifications, the Authentication-Header draft wouldbecome much safer. Satisfying those that represent influentialspecial interests should not cause the IETF to dismiss theirstewardship role.

The IETF is a steward of nothing. Its a Standards Platform andmanagement process to create 'open and fair' internet standards.

We all know there is money to made picking up the pieces, but thereare more productive ways to make a living.
-Doug _______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
------------------------------------------------------------------------


No virus found in this incoming message.
Checked by AVG - http://www.avg.comVersion: 8.0.176 / Virus Database: 270.10.4/1880 - Release Date: 1/7/2009 8:49 AM


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf