ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Re: Yet another attempt to fix forwarding

2008-01-30 14:44:02
from [Douglas Otis] [Permanent Link] 

On Jan 30, 2008, at 12:41 PM, Frank Ellermann wrote:


Douglas Otis wrote:
It seems rather ironic SPF's intended purpose was to direct culpability to the provider's customer (the email-address owner).
The "owners" of a reverse path are the hops adding info to it, today in essence limited to the envelope sender address as accepted by the MSA.
Owners of an email-address are not owners of the additive hops (the provider's addresses in the case of SPF). While SPF might be applied against the envelope sender address (the return-path), these records may also be applied against the Purported Responsible Addresses representing another attempt at identifying the provider's customer. The difference between the provider and the provider's customer is extremely important. When access depends upon an identity's indirect declaration of their authorized providers by way of address, privacy protection is clearly reduced.
In addition, schemes directing culpability toward provider's customers are in conflict with the general protection of personal privacy.
There is no such thing as "culpability" of senders in SPF. If folks want it they can arrange for a working envelope sender address based on their Message-ID or using BATV, but that has nothing at all to do with privacy.
When access depends upon an identity's declaration of authorized providers, the means for making this declaration resolves to the provider's customer, and not the provider.
Only the provider should be able to determine a message source, and therefore only the provider should be held responsible for controlling abuse.
The provider is not responsible for forgeries by third parties. SPF only allows to identify plausible (PASS) or forged (FAIL) envelope sender addresses for domains publishing an SPF policy.
You just said that SPF does not hold senders culpable, and yet SPF senders are required to identify themselves by way of their declaration of authorized providers? Why is the provider ignored?
There are perhaps a few hundred thousand major providers, and yet there are millions of individual's email domains in use. SMTP client validation within a single transaction could eliminate far more abuse than SPF. EHLO validation is yet another optional "feature" of SPF that _might_ be accomplished after a dozen or so DNS transactions. Unfortunately, SPF suffers from having too many "features" keeping this feature from being practical. How convenient. : ) 

-Doug



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Asrg] Re: blacklists, Frank Ellermann
Next by Date:  [Asrg] Re: Yet another attempt to fix forwarding, Frank Ellermann
Previous by Thread:  [Asrg] Re: Yet another attempt to fix forwarding, Frank Ellermann
Next by Thread:  [Asrg] Re: Yet another attempt to fix forwarding, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]