Meng Weng Wong wrote:
If we consider "please swipe employee pass to gain entry to
building" as an example of authentication scheme, you can
make the same claims that swiping an employee pass is not
actually an authentication scheme, because maybe a bad guy
stole your pass and is swiping it instead of you.
At our office building, our lazy building manager can't be bothered to
set up individual key cards to have access to their network rooms, etc.
So she just gives each company one key card that will access all of
them, and expects the company to take care of it. (I have tried to
fight this, but my boss apparently doesn't find this as offensive as I do).
That's more like SPF. All you can tell is that the swipe was from a
certain company, you can't tell who. The ISP's mail server is a shared
resource (much like our building-wide swipe card), so individual user
authentication to the recipients mail server is impossible, unless the
sender's ISP takes measures to eliminate cross-account spoofing. That
would not be within the scope of SPF though.
Steve Meyers