spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: SPF competitor: DVP

2004-05-10 04:54:24
from [Jeremy Pullicino] [Permanent Link] 
The DVP people are particulary 
concerned that macro expansion could cause buffer overflows and lead

to 

exploits


Buffer overflows are a result of incompetent programming and not macro
expansion so the DVP people are wrong on this point.

Jeremy Pullicino

-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Stuart 
D. Gathman
Sent: Saturday, May 08, 2004 4:26 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] SPF competitor: DVP

I looked at the DVP site, and it is functionally almost the same as SPF.

The difference is that instead of the recipient interpreting the SPF 
record, a server provided by the sender does whatever it wants with the 
same information used by SPF and returns the same results.

http://www.exploits.org/dvp/

The exists mechanism in SPF can provide identical functionality - but
requires running a custom DNS server.  The TCP server specified by DVP
is
much simpler to implement (the results include a TTL for caching - so
even
that is identical to using exists with DNS).  What about a "dvp:host"  
mechanism which says "consult the DVP server over there"?  

I would like to see the too proposals merged in this way - but the DVP
people seem to hate SPF because they see interpreting the SPF record as 
executing general purpose code - and hence a security hole.  SPF needs
to 
make the case that SPF interpretation is *not* turing complete, and has 
bounded execution in time and space.  The DVP people are particulary 
concerned that macro expansion could cause buffer overflows and lead to 
exploits (a concern that doesn't exist for SPF implemented with bounds 
checking languages such as Python, Java, Pike, Perl, etc.).  Even a C 
version has only a small amount of non performance critical code needing

bounds checking.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703
591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/spf-draft-200404.txt
Wiki:
http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription, 
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com



This mail was checked for malicious code and viruses
by GFI MailSecurity. GFI MailSecurity provides email content
checking, exploit detection, threats analysis and anti-virus for
Exchange & SMTP servers. Viruses, Trojans, dangerous
attachments and offensive content are removed automatically.
Key features include: multiple virus engines; email content and
attachment checking; an exploit shield; an HTML threats engine;
a Trojan & Executable Scanner; and more.

In addition to GFI MailSecurity, GFI also produces the
GFI MailEssentials anti-spam software, the GFI FAXmaker
fax server & GFI LANguard network security product ranges.
For more information on our products, please visit
http://www.gfi.com. This disclaimer was sent by
GFI MailEssentials for Exchange/SMTP.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Weekly SPF discussion mailinglist stats for 05/10/04, Wayne Schlitt
Next by Date:  SRS - postfix: rewrite envelope-sender, Różański Sergiusz
Previous by Thread:  SV: SPF competitor: DVP, Lars Dybdahl
Next by Thread:  Re: SPF competitor: DVP, Meng Weng Wong
Indexes:  [Date] [Thread] [Top] [All Lists]