On Tue, 2004-12-07 at 14:51, Dave Crocker wrote:
> All proposals are different in their details; the important thing is
> what they can _achieve_. Take CSV and SPF, for example. Of course the
> details vary, but in practice they do exactly the same thing. Consider:
> MAIL
FROM:<SRS0=xx=yy=ox(_dot_)org=aland(_at_)forwarder(_dot_)org>
> From: aland(_at_)ox(_dot_)org
>
> Precisely because SPF validates only one hop, it's achieving no more
> than CSV is. The recipient can look up how much they should trust
> 'forwarder.org' but you can't really tell if the message _really_ came
> from you.
SPF uses per-message validation. It can be viewed as validating the
latest-hop sending MTA, but the validation is provided by the
originating sender. Hence, SPF requires route registration. In truth
it is validating the originating sender, where the latest-hop MTA is
merely a way into that information.
The word validation with respect to SPF is a bit vague. A more accurate
term would be authorization. The lack of assurance of intervening nodes
making a consistent check or their security removes assurances as to the
originating sender. It would be better said that SPF validates the
authorizations provided by the originating sender. Although
authorization may be sufficient to assert favorable accreditations,
authentication is required to hold a domain accountable for abuse.
[CSV] uses per-session validation. Its validation is based on the
latest-hop sender's administration, rather than stretching back to the
origin.
More specifically, there is no assumption regarding intervening nodes
making specific checks nor assumed security. CSV authenticates the
domain administering the sending of the mail within the strength of the
underlying IP infrastructure. This strength permits holding the domain
administering the sending of mail accountable. The fact that both
schemes form a response based upon the last hop misses two important
points. One, the strength of any assertion with respect to
accountability. Two, who is expected to respond to any problem.
These are not small differences. In fact their semantics,
administration and use are entirely different.
Agreed.
-Doug