On Fri, 2005-07-15 at 21:32 -0500, wayne wrote:
From what I can tell, draft-kucherawy-sender-auth-header attempts to
define a generic header for various email authentication systems. If
so, I somewhat question the wisdom of doing so. The definitions for
such terms as "pass" in the sender-auth-header I-D do not match those
definitions in the SPF-classic spec, and if I understand the folks in
the CSV camp correctly, an SPF "Pass" is not the same as a CSV
"Pass". Ditto for PGP results, or MTAMark results.
Agreed.
Multiple levels of a validation failure does not offer clarity regarding
whether the MTA is authorized, or whether a mechanism is mandated but
missing.
The current Result status is inadequate for a general purpose header.
Describing server-authorization derived from path registration as
"sender-authentication" places the reputation of domain owners sharing
an MTA at risk. The prevalence of Zombies makes such an assertion based
upon server-authorization dangerously flawed from a consumer's
perspective.
,---
| result = "pass" / "fail" / "softfail" / "neutral" /
| "temperror" / "permerror"
| ; an indication of the results of the attempt to
| ; authenticate the sender
'---
This is clearly specific to SPF/Sender-ID. Perhaps something more
specific, such as:
result = "authen" / "authen-author" / "author" / "not-author" /
"non-compliant" / "unknown" /"temperror" / "permerror"
; results of an attempt to validate an identity
Without a new assertion added where the MTA assures exclusive use of a
domain, path registration validation should return "author[ized]" rather
than "authen[ticated]" as currently implied by "pass" according to this
draft. This greater specificity would also allow greater utility with
other mechanisms, such as DKIM or CSV.
-Doug