ietf-asrg
[Top] [All Lists]

Re: [Asrg] SPF apologies

2009-01-29 20:33:00

On Jan 28, 2009, at 7:55 PM, Bill Cole wrote:

Which is where SPF has entrenched itself. It is the easiest standardized mechanism for affirmative authentication of senders. It's not a general tool for identifying all forgeries, but it is useful and it is in widespread use. Ranting against its use is a few years late and not constructive, particularly when the critique is aimed at flaws that are avoided by the narrow uses that are actually common.

Bill,

There is now the Authentication-Results header that offers dangerous ways to reveal SPF results. The draft defining the use of this header suggests, in so many words, that local-parts are not to be included unless local-part macros are employed.

Please be careful about misrepresenting what is achieved when an SMTP client has been SPF authorized by a domain. Don't describe the authorization as having "authenticated" the source domain. It is worrisome to contemplate the number of people who will be mislead and harmed by the many ways that this erroneous conclusion can be exploited by those with access outbound servers. Earning the status of Authentication should not be based upon a number of doubtful assumptions.

-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>