Re: Is SPF Authenication or Authorization?

Dave Crocker wrote:

> On Wed, 22 Sep 2004 21:51:26 GMT, Mark wrote:
> >  There is no reason to exaggerate this "spoofing", though, as the
> >  extent is only local. Simply put: only users on your system can set
> >  their address to another user of that system (or likely an non-
> >  existing, local user even), as
> well, as long as the threat is limited to the few (1?, 10? 70?)
> millions of users that share my ISP's MTA, I guess that's ok.
Do I detect a hint of sarcasm? :) Seriously, though, I look upon these 
things in terms of phases. We're in a transitional phase now, where ISP's 
are encouraged to start enforcing the use of SMTP AUTH. Once that process 
has completed, or largely so, AUTH info could be used to do forced address 
rewriting. We're not there yet, though. For now, SPF will already stop 
foreign parties from spoofing your domain name; that is not bad.
Also, people seem to want all-in tool to protect them against all threats, 
foreign and domestic. SPF, in spoofing terms, gives you protection against 
foreign threats, not domestic. And I should point out that this is not a 
shortcoming of SPF. Unless people sign headers, or the ISP enforces address 
rewriting, there is no means to authenticate an email address. That is why I 
entered this thread anyway; because, whereas I am a huge SPF proponent, I do 
not try and sell it as an authentication tool as well.
- Mark

       System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx