On Jan 30, 2008, at 12:41 PM, Frank Ellermann wrote:
Douglas Otis wrote:
It seems rather ironic SPF's intended purpose was to direct
culpability to the provider's customer (the email-address owner).
The "owners" of a reverse path are the hops adding info to it, today
in essence limited to the envelope sender address as accepted by the
MSA.
Owners of an email-address are not owners of the additive hops (the
provider's addresses in the case of SPF). While SPF might be applied
against the envelope sender address (the return-path), these records
may also be applied against the Purported Responsible Addresses
representing another attempt at identifying the provider's customer.
The difference between the provider and the provider's customer is
extremely important. When access depends upon an identity's indirect
declaration of their authorized providers by way of address, privacy
protection is clearly reduced.
In addition, schemes directing culpability toward provider's
customers are in conflict with the general protection of personal
privacy.
There is no such thing as "culpability" of senders in SPF. If folks
want it they can arrange for a working envelope sender address based
on their Message-ID or using BATV, but that has nothing at all to do
with privacy.
When access depends upon an identity's declaration of authorized
providers, the means for making this declaration resolves to the
provider's customer, and not the provider.
Only the provider should be able to determine a message source, and
therefore only the provider should be held responsible for
controlling abuse.
The provider is not responsible for forgeries by third parties. SPF
only allows to identify plausible (PASS) or forged (FAIL) envelope
sender addresses for domains publishing an SPF policy.
You just said that SPF does not hold senders culpable, and yet SPF
senders are required to identify themselves by way of their
declaration of authorized providers? Why is the provider ignored?
There are perhaps a few hundred thousand major providers, and yet
there are millions of individual's email domains in use. SMTP client
validation within a single transaction could eliminate far more abuse
than SPF. EHLO validation is yet another optional "feature" of SPF
that _might_ be accomplished after a dozen or so DNS transactions.
Unfortunately, SPF suffers from having too many "features" keeping
this feature from being practical. How convenient. : )
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg