spf-discuss
[Top] [All Lists]

Re: moving on from MARID

2004-09-24 23:34:52
In <20040924180634(_dot_)GA26570(_at_)simkin(_dot_)ca> Alan Hodgson 
<ahodgson(_at_)simkin(_dot_)ca>
writes:

On Fri, Sep 24, 2004 at 12:52:07PM -0400, Meng Weng Wong wrote:
  C) SUBMITTER if provided
  D) if checking is done after the DATA command, the PRA
I say "three identities" because C and D are really the same
thing according to the SUBMITTER spec, yet SUBMITTER can be
treated as a first-class identity in its own right.

Does SUBMITTER have any value without being able to check PRA?  Does
it have any real value even if we can check it?  Ya, ya, phishing, but
does anyone really think you can protect users from phishing that
easily?


--wayne <wayne(_at_)midwestcs(_dot_)com> wrote:
As far as I can see SUBMITTER has no value and is simply a way of
letting the patent encumbered and badly licensed PRA to slip in to the
SPF community through the back door.


Actually I was going to say just the opposite. Submitter was originally Meng's idea (if I remember right) and was described as "the entity responsible for the most recent injection of this message into the mail stream".

I think the idea to tie it and PRA together came soon after, because we were making an effort to work with MS at the time. But I also think the Submitter is distinct from the PRA in an important way: the Submitter is a new, declared parameter, while the PRA is a heuristic guess picked from other identities, based on how we think current mail headers work in practice.

My suggestion is to not make Submitter tied to PRA, but to keep it as a parameter in its own right. I would consider Submitter as a "request" by the sender to accept a forwarded message and check Submitter parameter instead of MAIL FROM. Since it can be used to send mail and direct the bounces to someone else, Submitter should only be accepted from trusted forwarders who we believe are OK to make that claim ( possibly because they are trusted agents of the receiver.)

In other words, the SPF Classic way is to rewrite MAIL FROM and take responsibility for bounces. The Submitter way would be to accept certain mail from known good sources and still bounce it to the MAIL FROM address if a bounce is necessary.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>


<Prev in Thread] Current Thread [Next in Thread>