On Tue, Oct 14, 2003 at 10:16:57PM -0500, wayne wrote:
In <20031014222512(_dot_)GB3619(_at_)arbat(_dot_)com> Erik Corry
<erik(_at_)arbat(_dot_)com> writes:
What SPF does is hijack DNS and use it as a sort of poor mans
verified identity on the net. It's the same service that
sellers of SSL certificates perform, but we are doing it
on the cheap (and likely not as well).
No, SPF does not verify an identity (authentication),
That's not what I said. What I (meant to) say is that SPF is
using the registries, routers and TCP sequences to verify
identity.
it verifies
whether a given IP address is approved for use by a given domain
(authorization).
The domain is the identity. The control over the IP address provides
the authentication.
These are two different things.
I agree that SPF is much weaker than a conventional authentication
system.
*IF* SPF (or a similar system) becomes widespread, that opens up a new
option for judging the reputation for a domain, much like the IP
address is currently judged..
Yes, though many of the same problems still apply. It's not always
clear who is to blame for spam in an SPF world:
* Spammer misuses his ISP's SPF-protected SMTP server:
Is the ISP at fault. Can spamtraps put the ISP on automated
block lists?
* Mailing list includes spam:
Did the mailing list do the SPF checks wrong, or use the wrong
block lists (or white lists). Or is the spammer using a new
domain that looked legit.
* Forwarding service sends out spam:
Again, who is to blame?
How about a spammer misuses his ISP to send mail to a forwarder
who forwards it to a mailing list? Blacklist all of them?
This kind of reputation publication can
*AND SHOULD* be done in many different ways. There can be RHSBLs,
RHSWLs, things similar to Habeas, things like bondedsender, etc.
Having registrars do detailed checking of who registers a domain is
certainly an option, but I suspect it will be either far too costly,
or far too easy to fudge.
If you have a reputation-based system then you need to decide what
to attach the reputation to. If you attach reputations to things
that can be created out of thin air as the need arises then you haven't
won much. Domains can be created out of thin air for pocket change,
esp. if you allow 3rd level domains to publish their own SPF data.
That's why you need to tie the reputation to a person. If the
registrars won't do that then someone else must.
--
Erik Corry erik(_at_)arbat(_dot_)com
A: Because it messes up the order in which people normally read text.
Q: Why is top-replying such a bad thing?
A: Top-replying.
Q: What is the most annoying thing in email?
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡