----- Original Message -----
From: "Scott Kitterman" <scott(_at_)kitterman(_dot_)com>
To: <ietf-mxcomp(_at_)imc(_dot_)org>
Sent: Saturday, July 10, 2004 3:54 PM
Subject: RE: Improving SUBMITTER - Persisent User Address/Account (PUA)
o Suggestion to improve SUBMITTER proposal:
Persistent User Account (PUA)
I think this is absolutely brilliant. From the perspective of a small
domain owner that doesn't run my own MTA (aka vanity domain), this has the
potential to resolve my concerns about use of shared MTAs as designated
senders. I would go one step farther and allow authorized submitters to
be
identified in the sender policy.
I currently use SPF, but have ?include:isp.net in my SPF record because I
am
concerned about someone else forging my domain from the isp.
At first, I was thinking you meant just having a MX directive in your own
SPF records, but you are adding a directive exposing a 3rd party SPF policy.
Right?
This isn't much use.
Right. That would solve the problem for a changed return path that is SPF
ready at the MDA but is not part of the original ISP SPF domain at the MSA.
If I could designate an authorized submitter, then I would be in
a position to make a stronger statement about the message being
auuthorized.
If I could, instead, have +submitter:username(_at_)isp(_dot_)net in my record
it
would
say something positive.
At first thought, ideas like this is "scary" when exposing this type of
information. It might be exploitable, in this or other ways, possibly. But
I can see where it works.
I believe that your proposal in combination with supporting changes in
sender policy definition would add significant strength to the Sender-ID
proposal.
Yes. If anything, if it does get adopted this way, I can see the ISP
having no qualm about providing a WEB base form where the user can supply a
list of his non ISP domain identities. The USER may have an privacy issue
with that but atleast the ISP is making the offering :-)
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com