Re: SPF and Responsibility



Michel Bouissou wrote:

Le jeudi 22 Juillet 2004 15:52, Daniel Taylor a écrit :
Comparing web/http and email/smtp makes no sense whatsoever.
Why not?
Well, we are discussing email forgery problem, because it is so widely commonthat it is a real pain in the ... of the whole email system. We are notdiscussing web pages forgery problem, and it happens that there are veryuncommon, unless your web or DNS server has been broken into and compromised(not talking about "phishing" spam that directs people to pages that may lookto be yours, but actually don't come from your server).

Exactly. What I'm saying is that e-mail should be, and needs to be more

like that. This is why having a high standard for what PASS means isimportant.

The very fact that email/smtp suffers from the forgery disease to this extent,where web/http does not, proves that the issues are radically different,their causes are different, their remedies (if needed) will have to bedifferent, and one does not compare to the other more than a pimple on thenose compares to a heart attack...

I'd say it proves nothing of the kind. E-mail was set up as a more
distributed system due to limitations of the early internet. It was
likely that you would not be able to communicate directly with the
destination of your e-mail, so things like open relays were necessary
to ensure that traffic could pass. Times change, and now the problems
of the distributed system outweigh the benefits and we need to go
to a more controlled system like the web. SPF, DK and other sender
authentication schemes are an attempt to preserve the parts of the
existing system that are still useful while allowing source
authentication, which is necessary to cure the problem of forgeries.

And you cannot compare what you expect to get when you contact a server forasking a web page that it permanently hosts (web), and email that you receivefrom a server that didn't originate the message by itself, but merely acts asa forwarder (whatever controls it may or may not implement).

But you _should_ be able to have an expectation of authenticity
under certain circumstances. SPF allows the sender to state what
those circumstances are by declaring trusted servers with the PASS
mechanism, untrusted servers with NEUTRAL, and invalid servers with
FAIL.



--
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203

<Prev in Thread]	Current Thread	[Next in Thread>
Re: SPF and Responsibility, (continued) Re: SPF and Responsibility, Daniel Taylor RE: SPF and Responsibility, terry RE: SPF and Responsibility, Mark Shewmaker Re: SPF and Responsibility, Andriy G. Tereshchenko Re: SPF and Responsibility, Mark Shewmaker Re: SPF and Responsibility, Greg Wooledge Re: SPF and Responsibility, Daniel Taylor Re: SPF and Responsibility, Michel Bouissou Re: SPF and Responsibility, Daniel Taylor Re: SPF and Responsibility, Michel Bouissou Re: SPF and Responsibility, Daniel Taylor <= Re: SPF and Responsibility, Michel Bouissou Re: SPF and Responsibility, Daniel Taylor Re: SPF and Responsibility, Stuart D. Gathman Re: SPF and Responsibility, Michel Bouissou Re: SPF and Responsibility, Stuart D. Gathman RE: SPF and Responsibility, terry Re: SPF and Responsibility, Daniel Taylor RE: SPF and Responsibility, terry Re: SPF and Responsibility, Daniel Taylor Re: SPF and Responsibility, Jonathan Gardner