ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: draft-schlitt-spf-classic-02.txt

2005-06-08 23:57:20
from [Mark] [Permanent Link] 



-----Original Message-----
From: owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Douglas 
Otis
Sent: woensdag 8 juni 2005 21:20
To: MARID
Subject: draft-schlitt-spf-classic-02.txt


This is where SPF and Sender-ID make a very serious mistake.  This
assumes "server authorization" is equivalent to "sender
authentication." It would be like me making a declaration that the
postal service is authorized to deliver my letters, where recipients
are then claiming any letter received from the postal service bearing
my name is authentically or genuinely from me.


Your argument is essentially correct. Which is why I lobbied,
successfully, to change the wording "can now proceed with confidence in
the identity" to "can now proceed with confidence in the legitimate use of
the identity" (by the connecting client).

There is still a gap left between being "authorized" and being able to say
the return address is "authentic". From the perspective of a reputation
service, however, things are not as bleak as you portray. Because "pass"
is not just saying this or that IP is authorized, but is also,
effectively, an expression of trust. Trust that the MTA you authorized
will, itself, prevent abuse of its services (when perpetrated by its own
customers). Otherwise you would not continue to trust that MTA. And such
expressed trust, if shamed, can be withdrawn. And, if not withdrawn over
time, the meaning of your expressed trust, with "pass", can be said to
increase accordingly.

So that is why we, in the SPF Council, after heated debate, at long last
agreed on a compromise. We would state, that, after a "pass", one could
only "proceed with confidence in the legitimate use of the identity" (and
nothing more); but, that in the case of reputation, receivers could take
this expressed trust in the MTA to mean, especially when seen over a
prolonged period (and reputation is typically built up over time anyway)
that the domain takes responsibility for the reputation it builds up.

All-in-all, I think the resulting wording for "pass" was as even-handed as
we could make it.

- Mark 
 
        System Administrator Asarian-host.org
 
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: draft-schlitt-spf-classic-01.txt, Dean Anderson
Next by Date:  Re: Philosophical discussions, Frank Ellermann
Previous by Thread:  Re: draft-schlitt-spf-classic-02.txt, Douglas Otis
Next by Thread:  Paper on Path and Cryptographic Authentication Technologies, william(at)elan.net
Indexes:  [Date] [Thread] [Top] [All Lists]