spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[SPF Classic] Privacy and disclosure of 2821 MAIL FROM

2004-10-06 13:57:49
from [Stephane Bortzmeyer] [Permanent Link] 
The whole purpose of SPF is to check the "real" email address used for
the last introduction of the message. This can conflict with privacy
expectations, for instance for a roaming user.
 
The problem already exists with the Received headers but the advice in
the draft ("Security Considerations") to display the address used in
the 2821 MAIL FROM makes it stronger, IMHO.

I do not find an easy solution (it is an inherent conflict) but I
suggest to add to "Security considerations":

The proposal to check the RFC 2821 MAIL FROM (and, as a consequence,
to display it clearly to the recipient) may have privacy consequences
for the users. Users and administrators should be aware of other
solutions like RFC 2476 or various tunnels.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [SPF Classic] Policy best practices should be kept out, Tony Finch
Next by Date:  [SPF Classic] New RR type is not actual deployment, Stephane Bortzmeyer
Previous by Thread:  [SPF Classic] DNS attacks, Stephane Bortzmeyer
Next by Thread:  Re: [SPF Classic] Privacy and disclosure of 2821 MAIL FROM, Jim Hill
Indexes:  [Date] [Thread] [Top] [All Lists]