spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[aspen] Notes from the crystal ball: authentication vs policy, MTA vs MUA

2004-09-18 11:04:42
from [Meng Weng Wong] [Permanent Link] 
The Aspen Framework says: authentication, reputation,
accreditation.  The latter two basically fall into the
domain of "policy".  http://spf.pobox.com/slides/unified%20spf/0335.html

Leaving accreditation (including Habeas, Bonded Sender,
ISIPP IADB, Goodmail, Vanquish, etc) aside, I have found
four ways so far to ask whether a sender is known.

1) are they famous?  (listed in global reputation system eg
   Cloudmark Rating)

2) are they known to the ISP?  (listed in local sender
   whitelist, eg AOL's whitelist)

3) are they known to the enduser directly?  (in addressbook)

4) are they known to the enduser's friends?
   (http://loaf.cantbedone.org/ and
   http://dumbo.pobox.com/~mengwong/tmp/loaf-diagrams/mouseovered.html)

I record some first-contact scenarios at
http://spf.pobox.com/aspen/agupimail.png

We see that there is a natural division between reputation
decisions that can be easily made by the ISP MTA, and
decisions that can be easily made by the MUA.

In my AGUPImail implementation, the MTA is responsible for
performing both the authentication and the reputation tests.

But I cheated: Cloudmark Rating was good, but not good
enough.  So I had to basically upload my addressbook into
DNS and turn it into an RHSWL.

The future will see MTAs and MUAs splitting up the
authentication / reputation / accreditation burden among
themselves.  There are different ways to do it:

crypto: MUA does both
Unified SPF: MTA does auth
Sender ID: MUA does auth
spf.pobox.com AGUPIMail: MTA does auth, MTA does policy

In the future, I expect things will go like this:

  MTA does IP-based auth, MUA does crypto-based auth
  MTA does global/ISP policy, MUA does addressbook/friends local policy

At the very least it'll be the MTA's job to only allow
authenticated mail, or at least tag the distinction between
authenticated and not-authenticated (using something like
http://www.ietf.org/internet-drafts/draft-kucherawy-sender-auth-header-00.txt)

MTAs will help in any way they can, by implementing at least
the "well-known reputation" side of the question, and
leaving the "local addressbook / LOAF" side of things to the
MUA.

And it'll be the MUA's job to make the final policy
decisions that use the local addressbook.

Systems which integrate the MTA and MUA will be at an
advantage, because they'll have all the information they
need at SMTP time.  This includes inbox providers like Yahoo
and GMail and Hotmail.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SPF-compliant phishing?, David Woodhouse
Next by Date:  Re: SPF-compliant phishing?, Alan Batie
Previous by Thread:  libspf2-1.0.4: inconsistent spfquery/pobox messages?, dave(_at_)watersheep(_dot_)org
Next by Thread:  Re: [aspen] Notes from the crystal ball: authentication vs policy, MTA vs MUA, Anne P. Mitchell, Esq.
Indexes:  [Date] [Thread] [Top] [All Lists]