[Top] [All Lists]

Re: SPF I-D for review: draft-schlitt-spf-classic-00.txt

2005-03-03 22:20:08

Well, current SMTP specifications allow for anyone to use any domain
in either the rfc2821 identities, or any place in rfc2822.  All
authentication schemes intend to change that.

AFAIK, none of SSL, TLS, or SMTP AUTH make any such change.

well, it depends on what you mean by "being able to use any domain"

for instance, SSL/TLS server certificates do not allow the server to [convincingly] claim to be any domain it wants to be within the SSL/TLS protocol. they don't try to restrict the server's domain name according to the IP address, and they don't inherently impose constraints on what domains the protocols layered over SSL or TLS use. what they do is allow a server to convincingly claim to be a domain - if the client trusts the CA in the server certificate.
similar limitations apply to client certs.

whether it's appropriate for the higher-layer protocol to expect its domains to match those in the SSL/TLS certificates varies from one protocol to another. in the case of email, it's generally not reasonable for an SMTP client or server to expect the domains in EHLO, HELO, MAIL, or RCPT to match those used at the SSL or TLS layer, because third-party relaying is an extremely useful feature of the SMTP architecture.

<Prev in Thread] Current Thread [Next in Thread>