On Fri, 2005-01-07 at 18:56 -0800, Hallam-Baker, Phillip wrote
From: Douglas Otis [mailto:dotis(_at_)mail-abuse(_dot_)org]
On Fri, 2005-01-07 at 14:09 -0800, Hallam-Baker, Phillip wrote:
As far as the recipient is concerned SPF provides authentication data,
always has done.
Any supposed authentication derived from this type of path registration
is based upon a false assumption of the mail channel integrity. Such
integrity was premised upon a ubiquitous convention of checked
identities or that mail was point to point. There are no such
conventions, and now you are now saying that this list may include yet
another identity? When used against MAILFROM, mail forwarded or passed
through a list server is at risk of being lost within a filter. Calling
this authentication increases risks such authorization will result in
ungovernable reputation damage. I truly believe SPF will lead to
greater problems.
This makes the efforts in authentication such as MASS even more vital.
All authentication schemes invariably conflate authorization to some degree
since the mere existence of an authentication credential is in almost all
cases indicative of the existence of a corresponding authorization datum at
the point in time when the credential was created, otherwise why bother to
create it?
It should be safer not to create the SPF "credential". For SPF, the
"credential" is the address of the last hop having been authorized.
There can be no assurance of the "authentic" source of the message, as
this last hop may have been authorized by many domains or subject to
security breaches. With the many identities potentially tested by SPF
filters, there can be no partial path registration (authorization)
without increasing the amount of lost mail.
The SSL certificates sold by VeriSign and every other CA effectively
conflate authentication with authorization, that is one of the reasons that
the system works. So your claim that the two schemes 'are' orthogonal would
seem to be disproved entirely and in the light of the fact that Browser SSL
is the most successful cryptographic protocol deployed to date I don't think
the claim works in the normative sense either.
While a strong authentication may imply authorization, as with the case
of digital certificates, the reverse is not true. The path registration
or authorization attempted by SPF is an orthogonal effort to that of
authentication. SPF never provides more than authorization. In fact,
it may have a serious problem even denying authorization.
Perhaps if you had been willing to listen to what I was trying to say at the
MARID face to face rather than constantly interrupting and heckling as you
did you might be in a better position to understand these rather elementary
principles of computer security terminology.
Phillip, you are highly passionate about your opinions. Everyone at the
Face to Face conducted themselves cordially with the exception of
yourself. You were admonished by the chairs on more than one instance.
I am happy to say I was not receiving the brunt of these outbursts and
not surprised this emotional state clouded these memories. This makes
it difficult for civil exchanges. You remarked at one point your dismay
that the group was not considering Digital Certificates. I admit such
an effort would have created less risk.
I raised a few questions about terms being used. These were serious and
earnest questions, as I wanted to understand what was being said with
the terminology surrounding the topic. I think there is great benefit
having these terms defined and I would like to applaud efforts in that
direction. There have been rather long discussions that concluded in
agreement following a difficult hashing through of the underlying
definitions.
-Doug