-----Original Message-----
From: asrg-bounces(_at_)irtf(_dot_)org
[mailto:asrg-bounces(_at_)irtf(_dot_)org] On Behalf Of Paul Smith
Sent: Saturday, October 29, 2011 2:16 AM
To: Anti-Spam Research Group - IRTF
Subject: Re: [Asrg] Microsoft takes over British Telecom
I've been thinking about forwarding
If you have A -> B, then server B forwards to server C, C can't do any
authentication based on A, because A doesn't know about the forwarding
(or it would, presumably, just send to C directly).
So, all sender domain authentication fails (without return path
rewriting)
There's an alternative proposal under development. The idea is that B
evaluates the message from A (be that with SPF or DKIM, or something else), and
then applies an Authentication-Results (RFC5451) field with its findings. When
it relays toward C, it DKIM-signs the augmented message first. When C gets it,
it verifies B's signature, and then it can use the contents of the
Authentication-Results field that B added to determine whether use of A's
domain was authorized, even if A's signature no longer validates (and
presumable A's SPF policy is guaranteed to fail at this point). There must, of
course, be an out-of-band arrangement that C trusts what B claims already in
place for this to work.
That's the theory. The specific mechanics and abuse defenses are still
evolving. The term "transitive trust" is being batted around as a label for
the concept. It's actually in production at a couple of large mailbox
providers already.
I've spoken to people at IETF about the DANE idea, and it's universally
considered a dead end, mostly because it simply doesn't scale and is
ineffective against infected machines that otherwise can get authorization in
the first place. DANE is really designed to authorize use of domain names with
respect to web pages, I believe, and not to authenticate clients.
-MSK
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg