--Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
| Operators of MTAs are free to change nothing; and things will work
| about as well as they do now -- until spammers escalate things so that
| overly-broad IP blacklists are applied widely and the MTA's IP address
| finds its way onto them. Possibly, they'll even be miraculously lucky
| and its IP address _won't_ find its way onto any blacklist. ;^)
The above is also true of Unified SPF.
The major problems result from weak transversal authorization determined
by SPF. You may consider these the same, but the details entailing such
is important. ACCREDITATION can not be administered if the
Authentication and Authorization are not confirmed for unknown, in
addition to that determined to be accepted. It is apparent that SPF
only provides weak path assurance regarding an accepted message. The
assurances for either unknown or rejected messages are nil. That is a
huge category left open.
Doug- I couldn't understand this paragraph, and I think it's important to
understand what you're saying here -- some of the keywords suggest that you
feel it's an important point.
Here are some followup questions.
Q. What is a "transversal authorization?" What makes one weak vs. strong?
Q. Regarding this sentence, I couldn't quite unwind what you meant, though
I am probably close to understanding:
ACCREDITATION can not be administered if the
Authentication and Authorization are not confirmed for unknown, in
addition to that determined to be accepted.
I understand this to mean "If the result is "unknown" then accreditation
cannot be applied. I would take that as a given, but I believe that is the
same with both SPF and CSV. Is this meant to imply that the existence of
an "unknown" state itself is a defect? If I understand correctly, CSV also
has an "unknown" state. In both proposals, I believe the domain owner has
to make sure a PASS or "known good" result is received before honoring any
accreditation, right? Anyway, let me know if you meant something else
here that I am not understanding.
Q. Regarding these two sentences, please clarify:
It is apparent that SPF
only provides weak path assurance regarding an accepted message. The
assurances for either unknown or rejected messages are nil. That is a
huge category left open.
Is this meant to state that a CSV "authorized" result is stronger than an
SPF PASS result? Why do you say that? Both are comparing an IP address to
a DNS record, and in that regard seem to provide very similar features from
the technical side. Do you mean that there is a difference in how the
records will be interpreted by users? Is it because of the way the drafts
are written? I'm trying to understand if it is a difference in the design,
or just in how it is used by implementors and explained to users...
Also what do you mean by "The assurances for either unknown or rejected
messages are nil". What assurance does CSV provide if the status is
unknown? If the status is reject/fail, doesn't that mean reject the
message, and isn't the "strength" of that assertion the same for both SPF
and CSV?
Thanks
gregc
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>