On Tue, 2004-12-07 at 16:34 -0500, Alan DeKok wrote:
SPF validates the use of a name in MAIL FROM for *any*
hop. CSV validates that an SMTP client is affiliated with a domain
name it's using in EHLO.
The validations are orthogonal, because they are validating
different fields which do not have to be correlated.
In the SPF advocates' imaginary world where SRS is common, there's a
_much_ stronger correlation between the two validations than there is in
the real world today.
The issue SES has that RMX doesn't is that the cryptographic tokens
it uses can be copied. e.g. Grab tokens from somewhere, and for a
short period of time, use them to send spam to third parties. While
there are ways to fix this issue, most involve a re-thinking of what
we mean by "sending email".
Some do. SES allows the sender to encode a message-digest in the
reverse-path to prevent the replay attack. I probably wouldn't describe
that option as 're-thinking' but I've entertained too many pointless
debates on terminology (in particular 'forgery') to bother to try to ask
precisely what you mean by that word.
"its name". But yes. The question is how you identify that traffic.
Use of the name in a field in a protocol. e.g. EHLO or MAIL FROM.
Right. And it doesn't necessarily matter _which_ name as long as you can
be sure the sending party is really supposed to be using that name.
Which is why I don't agree with you that they're entirely orthogonal.
They're different, it's true; but what they achieve in the long run is
basically the same.
Cryptographic approaches solve a lot of problems inherent in
IP-based approaches, because they tie authentication to identity, and
not to location.
Right. The cryptographic approaches make a lot more sense, as far as I
can tell.
--
dwmw2