On Wed, Feb 04, 2004 at 07:18:39PM -0600, wayne wrote:
| >
| > If the client doesn't recognize smime, do you really want it to fail?
| >
| > If the client does recognize smime, and the message is a forgery, do you
| > really want it to return neutral?
|
| With unknown mechanisms, domain owners don't have a choice, with unknown
| modifiers, domain owners do have a choice. The answers to those two
| questions should be left up to the domain owner.
|
I don't think the answers need to be left up to the domain owner. We
know what the domain owner wants: he wants legitimate mail to get
through and forged mail to be rejected.
Suppose the use case is: the domain usually sends mail from a set of
permitted IP addresses, expressed in vanilla SPF notation as "a mx".
But when the domain doesn't send mail from those IP addresses, it always
signs the mail using smime. If there is no smime signature, the mail is
forged.
Suppose the domain expresses the above as "v=spf1 a mx smime -all".
Let's explore the space of possibilities.
1 0
A) SPF MTAs: smime-enabled vanilla
B) Messages: signed unsigned
C) Client IP: IP-permitted not-permitted
D) Domain desires: accept reject
E) Actual result: accept reject
A B C D E
------------------
0 0 0 0 1
0 0 1 1 1
0 1 0 1 1
0 1 1 1 1
1 0 0 0 0
1 0 1 1 1
1 1 0 1 1
1 1 1 1 1
The only discrepancy between what the domain desires and what actually
happens is when a vanilla SPF MTA that does not understand "smime"
accepts the message. But it accepts it with the prepended header
Received-SPF: unknown smime
which can be processed later down by an smime-capable MUA.
An SPF MTA that does understand smime will always do the right thing.
If you believe that a domain owner does not want vanilla MTAs to accept
signed mail, then the modifier approach makes sense.
The domain would then expresses its wishes as "v=spf1 a mx smime=please -all".
1 0
A) SPF MTAs: smime-enabled vanilla
B) Messages: signed unsigned
C) Client IP: IP-permitted not-permitted
D) Domain desires: accept reject
E) Actual result: accept reject
A B C D E
------------------
0 0 0 0 0
0 0 1 1 1
0 1 0 *0* *0*
0 1 1 1 1
1 0 0 0 0
1 0 1 1 1
1 1 0 1 1
1 1 1 1 1
My question to you is, if you want vanilla MTAs to reject smime-signed
mail, why bother adding an smime declaration at all?
Are we really talking about requiring that mail have *both* factors ---
coming from the right IP address *and* being signed? I hope we aren't.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡