ietf-mxcomp
[Top] [All Lists]

Re: [spf-help] Re: SPF and SenderID

2005-07-20 12:55:39

There are experimental versions of SPF Classic and Sender-ID with a few
still trying to find solutions for problems that remain with these
approaches.  Two areas still wanting is a means to assert scope in SPF
classic to indicate that the PRA has not been evaluated and should not
be used.  The other is a means to indicate the exclusive use of a domain
is or is not being assured by the server.


I don't know of a good way to objectively tell whether something is
experimental.  Quite a number of people use SPF and don't intend to stop,
but it's still a minority in terms of the world population of domains and
mail servers.  So, I guess the "experimental" label can be applied to
either usage, but in terms of numbers, SPF classic is clearly ahead in
terms of adoption.

I'm not sure exactly what is meant by "a means to indicate the exclusive
use of a domain is or is not being assured by the server".  The spec is
pretty clear on what constitutes a "pass" vs. "unknown".  I have been
suggesting to people for quite some time that they should use the "+" mode
if they control the MTA, or if they trust the MTA operators enough to take
responsibility for the MTA's actions.

For some domain owners, this could mean "the site uses SMTP AUTH and
doesn't allow spoofing of other domains".  For others, they may be content
with "the site doesn't currently have an ongoing forgery problem".  This
is a tradeoff the domain owner must decide for himself.  If they don't
wish to take responsibility for the MTA, they should use "?" instead of
"+" to add it.  We want to encourage everyone to move to the "+" column
eventually, but there is still quite a bit of value in narrowing the "?"
space from ?all to ?certain-MTAs -all.  Every little bit helps.

I think we have been over the difference between "+" and "?" in the spec
before, so I'm puzzled as to why this is still often (very often) brought
up as a "fault".  Do you really see it as a fault, or is it just a
convenient place to attack SPF because people often get confused about it?
 Do you understand the difference between Pass and Neutral results?

(Last I checked CSV doesn't have a neutral or unknown mode.  If I remember
right, the only way to signify "unknown" under CSV is not to publish.  Of
course, you didn't say whether you are comparing SPF to CSV, or just
railing on SPF without a constructive counter-proposal.)


There is no spam or phishing solution without the use of email
reputation.  The accrual of reputation demands authentication and not
just authorization, if to be fair.  Saying that authorization is good
enough sounds too much to me like "let them eat cake" when knowing those
that care will have their own servers.  Getting this right requires an
understanding that neither authorization nor authentication alone is a
solution.


I think I would agree with that.  But if there's any lesson I take away
from MARID, it's that the best is often the enemy of the good.  Waiting to
solve one problem until we have enough tools to solve a larger number of
problems doesn't seem to be the best way forward.  Some would look at the
problem space and say "This is huge and complicated... We have to approach
it in just the right way."  I look at the problem space and say "This is
huge and complicated, so let's get started."


The next step in this process is reputation, however this step can only
be safely made when there is an ability to authenticate the entity being
held accountable.  Just calling it authentication is not productive,
when it is based upon an assumption that the server is not shared.  I
find this a bad assumption and one that will create endless support
issues when exploited by the millions of zombies known to exist.


I understand what you mean here, and I do believe you are sincere, but I
don't agree with your characterization nor your conclusion.  I should
probably go back and read the spec and see if the language explaining pass
vs. neutral is clear enough.  If you have suggestions on how to make this
clearer so people aren't confused in the way you suspect they currently
are, I'm sure Wayne would welcome the feedback.

Thanks
gregc

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
on my squirrelmail right now