The DVP people are particulary
concerned that macro expansion could cause buffer overflows and lead
to
exploits
Buffer overflows are a result of incompetent programming and not macro
expansion so the DVP people are wrong on this point.
Jeremy Pullicino
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Stuart
D. Gathman
Sent: Saturday, May 08, 2004 4:26 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] SPF competitor: DVP
I looked at the DVP site, and it is functionally almost the same as SPF.
The difference is that instead of the recipient interpreting the SPF
record, a server provided by the sender does whatever it wants with the
same information used by SPF and returns the same results.
http://www.exploits.org/dvp/
The exists mechanism in SPF can provide identical functionality - but
requires running a custom DNS server. The TCP server specified by DVP
is
much simpler to implement (the results include a TTL for caching - so
even
that is identical to using exists with DNS). What about a "dvp:host"
mechanism which says "consult the DVP server over there"?
I would like to see the too proposals merged in this way - but the DVP
people seem to hate SPF because they see interpreting the SPF record as
executing general purpose code - and hence a security hole. SPF needs
to
make the case that SPF interpretation is *not* turing complete, and has
bounded execution in time and space. The DVP people are particulary
concerned that macro expansion could cause buffer overflows and lead to
exploits (a concern that doesn't exist for SPF implemented with bounds
checking languages such as Python, Java, Pike, Perl, etc.). Even a C
version has only a small amount of non performance critical code needing
bounds checking.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703
591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/spf-draft-200404.txt
Wiki:
http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
This mail was checked for malicious code and viruses
by GFI MailSecurity. GFI MailSecurity provides email content
checking, exploit detection, threats analysis and anti-virus for
Exchange & SMTP servers. Viruses, Trojans, dangerous
attachments and offensive content are removed automatically.
Key features include: multiple virus engines; email content and
attachment checking; an exploit shield; an HTML threats engine;
a Trojan & Executable Scanner; and more.
In addition to GFI MailSecurity, GFI also produces the
GFI MailEssentials anti-spam software, the GFI FAXmaker
fax server & GFI LANguard network security product ranges.
For more information on our products, please visit
http://www.gfi.com. This disclaimer was sent by
GFI MailEssentials for Exchange/SMTP.