In <IKEBLNJHKPJILCNKNFAEKEJGCBAA(_dot_)spf(_at_)nedharvey(_dot_)com> "Edward
Ned Harvey" <spf(_at_)nedharvey(_dot_)com> writes:
spf has some characteristics in common with successful authentication
mechanisms, but it does not comply adequately.
SPF is not an authentication system, it is an authorization system.
SPF uses the IP address as of the sending MTA as an identity. The IP
address (identity) is authenticated by the OS via the TCP sequence
numbers. SPF then uses DNS to see if that IP address is authorized to
by the domain name owner to send email using their domain name.
SPF is designed to be a lower overhead system that can be used early
in the SMTP session.
EMVP appears to be solving a different problem and has different
advantages and disadvantages. In particular, it appears to
authenticate a "user" and it assumes that the user is authorized to
send email using their own name.
They can always easily and quickly forge somebody.
True, but a domain owner can take steps to prevent the forging of
their particular domain, which may well be very important to them.
-wayne
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡