ietf-mxcomp
[Top] [All Lists]

Re: Forged Sender (Resent-From) attacks

2004-08-19 03:29:28

 "Graham Murray" <graham(_at_)webwayone(_dot_)co(_dot_)uk>commented:


"Chris Haynes" <chris(_at_)harvington(_dot_)org(_dot_)uk> writes:

If so (and these misunderstandings were corrected), is there an engineering
opportunity to work towards a sympathetic fusion of Sender-ID and SPF *at
this
time*?

Do not forget that Sender-ID is supposed to already be a fusion of SPF
and the original MicroSoft Caller-ID.


Hello Graham,

What do you mean by "supposed"?

"required"?
"alleged"?
"presumed"?

As far as I can tell, Sender-ID has adopted some of SPF's better implementation
ideas, including:

- The record and macro formats
- The opportunity for early rejection (with the SUBMITTER option)

but, functionally, it still tests a different entity (the PRA vs. the Mail-From:
address) and thus has the 'unauthorised bounce' weakness that many people are
concerned about.

There may be other significant differences - I've not done that detailed an
analysis.

Then there is the licensing issue: I don't think any Open Source advocate would
describe the current Sender-ID as a "sympathetic fusion" of the two approaches
to licencing.

Note also Meng's post of
http://www.imc.org/ietf-mxcomp/mail-archive/msg03093.html
which seems to indicate that Meng believed (on 6 Aug)  that there was still a
substantive difference between Sender-ID and his conception of "Unified spf".

Chris Haynes