RE: SPF and Responsibility

On Thu, 2004-07-22 at 14:55, terry(_at_)ashtonwoodshomes(_dot_)com wrote:


It's misleading because "the message is authentic" might be better worded
as "the sender domain of the message is authentic"0

And that's because I suspect to a lot of people authentic means:
(1) Conforming to fact and therefore worthy of trust, reliance, or belief
Rather then:
(2) Having a claimed and verifiable origin or authorship

(1) is what something like PGP does
(2) is really what SPF does


Sorry, I really don't see the difference you are trying to point out.

If you were trying to point out that the content of a message might be
full of lies and therefore the statements made within the content of the
email might not be "authentic", (say if the email contents mis-quoted a
public official), I could point you to the problem statement of the
spec, which points out in a number of ways, (slightly contradictorily, I
might add), that we're trying to authenticate the claimed sender or
sending domain.

But I don't think you're talking about authenticating the content. 
(Though I'm not sure.)

However, I really don't see the difference in problem scope you're
apparently trying to point out between a PGP signed message claiming
that it's really from "user(_at_)example(_dot_)com", and an spf record claiming
that a particular email is really from "user(_at_)example(_dot_)com".

In the PGP case you have to use a web-of-trust authentication technique
to  trust that the signing key matches its claimed identity, and in the
spf case, eventually we'll have common use of signed DNS records to
verify that the spf record really comes from the domain.

In the PGP case if the trusted signing machine is compromised, it can
create forged messages.  In the spf case if the trusted email server is
compromised, it can send out forged messages.

And in both cases the writer of the message contents has no real limit
on those contents--we're just verifying that they are who they say they
are.  And in both cases you could have reputation systems make
meta-claims about whether the particular identity is trustworthy.

-- 
Mark Shewmaker
mark(_at_)primefactor(_dot_)com

<Prev in Thread]	Current Thread	[Next in Thread>
Re: SPF and Responsibility, (continued) Re: SPF and Responsibility, Mark Shewmaker Re: SPF and Responsibility, David Beveridge Re: SPF and Responsibility, Mark Shewmaker Re: SPF and Responsibility, Michel Bouissou Re: SPF and Responsibility, Mark Shewmaker RE: SPF and Responsibility, terry RE: SPF and Responsibility, Mark Shewmaker RE: SPF and Responsibility, terry Re: SPF and Responsibility, Daniel Taylor RE: SPF and Responsibility, terry RE: SPF and Responsibility, Mark Shewmaker <= Re: SPF and Responsibility, Andriy G. Tereshchenko Re: SPF and Responsibility, Mark Shewmaker Re: SPF and Responsibility, Greg Wooledge Re: SPF and Responsibility, Daniel Taylor Re: SPF and Responsibility, Michel Bouissou Re: SPF and Responsibility, Daniel Taylor Re: SPF and Responsibility, Michel Bouissou Re: SPF and Responsibility, Daniel Taylor Re: SPF and Responsibility, Michel Bouissou Re: SPF and Responsibility, Daniel Taylor