ietf-mxcomp
[Top] [All Lists]

Re: So here it is one year later...

2005-02-01 07:07:17

Wayne,

A good well-though out system would factor out "mailing list" or other
considerations.

What is a mailing list anyway?   It is just a new "agent" into mail stream.

In my view, the real problem is the unfortunate direction where more and
more systems are disrespecting the decades old tradition of not screwing
around with the Mail Integrity.

Sincerely,

Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
305-431-2846 Cell
305-248-3204 Office

----- Original Message -----
From: "wayne" <wayne(_at_)schlitt(_dot_)net>
To: "IETF MARID WG" <ietf-mxcomp(_at_)imc(_dot_)org>
Sent: Tuesday, February 01, 2005 5:02 AM
Subject: Re: So here it is one year later...



In 
<Pine(_dot_)LNX(_dot_)4(_dot_)44(_dot_)0501311413490(_dot_)27005-100000(_at_)sokol(_dot_)elan(_dot_)net>
"william(at)elan.net" <william(_at_)elan(_dot_)net> writes:

On Mon, 31 Jan 2005, wayne wrote:

DK and SPF have different failure modes. I don't think this is a
competition situation. A system with both schemes is much more
effective than either on its own.
[snip]

The are complimentary but they work and protect different parts of email
message. That means each one must be able to work on its own independant
of the other one and authentication should work properly on each layer.
You can not have failure scenario of one system being depdending on the
authentication in another layer - this is just a bad security
architecture.

You certainly have a point here and but I think you over state it a
little bit.

If both SPF and the crypto systems (DK/IIM/SES/etc.) agree on the
results, then you have much more reliable whitelisting *or*
blacklisting.

If SPF passes and the crytpo system fails, then that is good evidence
that the email came from a mailing list.  Combined with other
evidence, and you can get pretty good results.

If SPF fails and the crypto system passes, then that is good evidence
that the email came from a forwarder.  Combined with other evidence,
and you can get pretty good results.


That means if we want to use SPF and mail signatures for anything other
then whitelisting (i.e. to get rid of actual bad messages and find bad
senders), we must find ways to deal with SPF forwarding problems on the
SMTP session layer and must have MASS signatures that work with mail
lists.

Yes, SPF *MUST* continue to work on the forwarding problem so that you
don't have just "good evidence", and the same for the crypto systems.
However, I don't think either kind of system will ever be able to
completely solve their weaknesses.


I still think, and have said so many times over the last year or so,
that these systems can complement each other.


-wayne