On Fri, 2004-12-03 at 09:30 +0000, Chris Haynes wrote:
The ones which appear to me to have been added by PRA (derived from Caller-ID)
in Sender-ID are:
1) Abuser can forge addresses at domain
This is common to PRA and SPF. Anyone with an account on one of the
'authorised' boxes (or subnets, if dynamic IP is in play) can sand mail
which passes. There isn't even an option to require that the mail comes
from a port < 1024, which is odd.
11) Makes forgery blowback problem _much_ worse
Not sure about this one. I don't actually see why this is the case.
12) Patent issues
13) spam-profiteering / charges for SPF services
I don't understand this one either, but I don't think it's specific to
PRA.
And ones which probably represent universal engineering concerns:
2) Abuser can use stolen credential
5) Ongoing Maintenance issues
6) Migration issues
9) Lack of universal compliance.
although of course the way and degree to which these concerns mainifest
depends
on the exact scheme in question.
In particular, number nine does vary to a vast degree; so much so that
it should be considered a separate problem for some of them. There's a
big difference between a scheme which requires _universal_ compliance,
and a scheme which requires only the sending and receiving parties to
participate, without any need for the rest of the world to change.
--
dwmw2