On Fri, 2004-11-26 at 15:42, Hector Santos wrote:
<snip>
In addition, as a vendor, I am very interested in supporting the mandates
imposed by our Federal Government laws such as CANSPAM - that means complete
email address validation and Topic Identification concepts.
Lets look at more specifics. We have essentially one or more of the
following:
1) EHLO/HELO validation
2) MAIL FROM validation
3) RCPT TO validation
4) DATA validation, if any
5) Mixed Validation
6) No Validation at 2821
7) Post SMTP validation
8) Bounce Requirements
SPF concentrates on #2, and it lost on handling #1 and proper handling of
#5. It ignores #3.
CSV concentrates on #1, gets lost on SMTP AUTH issues, proper handling of
#5 and also ignores #3.
<snip>
CSV only ensures the EHLO/HELO can be authenticated and does not hinder
other authentications.
"Concentrates on validation" does not define what is provided.
Authentication is different than offering authorization lists and
presuming the entire system is secure.
There is a fair amount of information obtained with the specific
authentication and authorization made available with CSV. With this
information, a specific domain is indeed accountable for the host and
has authorized the sending of mail. With this authenticated name, other
associations can be safely made.
BATV is useful to protect related network resources of the return path.
CSV is useful to protect the related network resources of the recipient
path, when used with a reputation service. Digital signatures are
useful to prevent domain forgeries and to also establish
accountability. Schemes that require the processing of the message do
not offer network resource protection however.
There are safer solutions for path registration, but such schemes are
not useful for locating security problems or for application of a
reputation service. Messages that have only been authorized, but not
authenticated, is not sufficient to establish accountability as a basis
for reputation.
-Doug