In
<Pine(_dot_)LNX(_dot_)4(_dot_)44(_dot_)0501311413490(_dot_)27005-100000(_at_)sokol(_dot_)elan(_dot_)net>
"william(at)elan.net" <william(_at_)elan(_dot_)net> writes:
On Mon, 31 Jan 2005, wayne wrote:
DK and SPF have different failure modes. I don't think this is a
competition situation. A system with both schemes is much more
effective than either on its own.
[snip]
The are complimentary but they work and protect different parts of email
message. That means each one must be able to work on its own independant
of the other one and authentication should work properly on each layer.
You can not have failure scenario of one system being depdending on the
authentication in another layer - this is just a bad security architecture.
You certainly have a point here and but I think you over state it a
little bit.
If both SPF and the crypto systems (DK/IIM/SES/etc.) agree on the
results, then you have much more reliable whitelisting *or*
blacklisting.
If SPF passes and the crytpo system fails, then that is good evidence
that the email came from a mailing list. Combined with other
evidence, and you can get pretty good results.
If SPF fails and the crypto system passes, then that is good evidence
that the email came from a forwarder. Combined with other evidence,
and you can get pretty good results.
That means if we want to use SPF and mail signatures for anything other
then whitelisting (i.e. to get rid of actual bad messages and find bad
senders), we must find ways to deal with SPF forwarding problems on the
SMTP session layer and must have MASS signatures that work with mail lists.
Yes, SPF *MUST* continue to work on the forwarding problem so that you
don't have just "good evidence", and the same for the crypto systems.
However, I don't think either kind of system will ever be able to
completely solve their weaknesses.
I still think, and have said so many times over the last year or so,
that these systems can complement each other.
-wayne