ietf-mxcomp
[Top] [All Lists]

Re: SPF abused by spammers

2004-09-15 15:28:20

Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
  I thought we were discussing security terms, not Latin.

We are discussing the difference between send control lists and
authentication.

  Side-lines into :atin, and what words meant 2000 years ago aren't
helpful.  If they were, we wouldn't be using the letter "j", and we
would be pronouncing "v" as "w".

To refresh this point:
http://www.imc.org/ietf-mxcomp/mail-archive/msg04648.html

  My point then, as now is:

  - Entities who have information should use it to make decisions.
  - Entities who do not have information cannot use it to make decisions.

You are advocating Sender-ID or SPF identities are authenticated.  I
still claim this is a misuse of the term authenticate as this presumes
the integrity of the mail channel and the nature of the list.

  It presumes that the entities publishing those records have read the
specification of the protocol they're implementing, and understand
it's costs and benefits.  The meaning of those records is as defined
in the specifications, nothing more, or less.

I noted the hazard making this assumption would cause with respect
to harming reputations of those that, through no action on their
part, receive negative assertions.

  Again, your focus is on reputations and negative assertions.  Mine
is not.

  http://www.imc.org/ietf-mxcomp/mail-archive/msg04818.html

  Your response to that message didn't acknowledge that my goals are
different from yours.  While I understand very well your concerns
about negative reputations, I do not see reputations as the primary
goal of SPF, Sender-ID, or the MARID WG.  Instead, what's important is
the ability of a domain to publish a list of authentic outgoing MTA's.

  Reputation systems are secondary to the primary goal, and are
piggy-backed on top of it.  I don't see a need to discuss MARID-based
reputation systems until such time as we have a clear specification of
not only an MTA authentication system using DNS, but also the costs
and benefits of using such a system.

  If that MTA authentication system is correct and useful, then
reputation systems can be built on top of it.  If the MTA
authentication system is not correct or useful, then any reputation
systems which depend on it will be likewise useless.

  Alan DeKok.


<Prev in Thread] Current Thread [Next in Thread>