spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: SPF extension

2004-02-04 17:24:31
from [Hallam-Baker, Phillip] [Permanent Link] 


But isn't that equivalent to the "unknown mechanism" 
approach?  Maybe I
misunderstood you when you brought this up before.


Not really, I think you would want to introduce the mechanism in parallel
with IP auth so that if the client did not understand the new auth mechanism
it would NOT abort with unknown.


  v=spf1 mx domainsig -all

Clients that don't understand domainsig will abort "unknown"
Clients that do understand it will evaluate it and if it 
fails honour the "-all".


OK, I get it, I think you actually mean:

Clients that don't understand domainsig will succeed on the mx and return
pass


This would be for the case where you wanted to introduce domainsig as a kind
of backup authentication mechanism in case the mx fails.

The modifier mechanism would be for the belt and braces approach. Like we
might want to use for anti-phishing.


I'll have to think about it but I think that the behavior is going to be
dependent on the type of authentication mechanism and the behavior you want
to result.

Maybe we should look at the type of behavior you might want for S/MIME. One
reason you might deploy S/MIME would be to address the roaming issue. So you
would want to say something like 'all mail from these addresses comes from
either this set of IP addresses or has an S/MIME signature.'

 v=spf1 mx smime -all

Would definitely give the right semantics. The only issue then would be what
parameters you might want to define for S/MIME to define allowable root
certificates or possible xkms lookup. This could be complex so I would
expect you would want to use a pointer to an s/mime specific record.

example.com             TXT     v=spf1 mx smime:_smime -all
_smime.example.com      TXT     "CA-URI=http://root-cert/
CA-Digest=SHA1-wqijh239y=="

Works for me.


                Phill

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SPF extension, Meng Weng Wong
Next by Date:  RE: SPF extension, Hallam-Baker, Phillip
Previous by Thread:  Re: SPF extension, wayne
Next by Thread:  Re: SPF extension, wayne
Indexes:  [Date] [Thread] [Top] [All Lists]