On Wed, Feb 04, 2004 at 05:32:55PM -0800, Hallam-Baker, Phillip wrote:
|
| At any rate, I think we have enough to show that there can be
| a gradual introduction of a new auth mechanism.
|
Before somebody else says it, I should point out the weakness of a
left-to-right processing scheme like SPF: only one new auth mechanism
can be gradually introduced. We can't handle the semantics of "or".
If a domain wanted to assert that when its users aren't coming from a
known IP range, then its users always either sign mail with smime or
sign mail with domainkeys, it could assert
v=spf1 a mx smime dk -all
But only clients that understood both smime and dk would be able to
fully parse this record. For all other clients the domain might as well
not even publish a record beyond
v=spf1 a mx ?all
Who knows, maybe that means we need a new meta-mechanism called "or".
v=spf1 a mx or:smime,dk -all
Yuck. This is a weakness of the current spec. And if we're going to
add "or", we need "and", and soon we'll be on our way to longjmp() and
readmbox().
But I suspect the above "failure modes" are academic. The scenarios are
contrived. I expect that a domain that has to resort to smime as an
authentication mechanism won't be able to do the "a mx" part.
v=spf1 smime -all
This simple case has value for those domain owners who can't say "a mx".
Finally, as things evolve, and when we start to discuss SPF v2, we can
invite second system effect by putting "smime" and "dk" into spf v2 and
require that v2 clients grok those mechanisms. But my crystal ball is
cloudy and I am not wise in these matters.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡