spf-discuss
[Top] [All Lists]

RE: Re: New ideas for RFC2822 headers checking with SPF

2004-10-23 17:02:12
From: administrator(_at_)yellowhead(_dot_)com
Sent: Saturday, October 23, 2004 10:28 AM

<...>

Your analogy is quite good. I have always wondered when and why the two
addresses would be different, and I have never come up with a reasonable
explanation. I believe what you are saying is that the current RFCs should
be adjusted to not allow them to be different?

That would be very nice, but since they have been the industry standard for
so long, it is not really practical.  What I am suggesting is that, moving
forward with authenticated email, we should question any case where the two
identities are different.  At this point, there is a compelling advantage to
having them be the same.   An authentication scheme that cannot easily deal
with them being different should put the burden of proof on those who claim
a need for the identities being different.

I think there are very few valid cases where the two identities _need_ to be
different, at least the domain-part.  These probably have to do with mail
and news gateways, and I suspect there are solutions that are compliant with
existing RFC's.  At the same time, I realize that we would be removing a
little flexibility from the current email system in exchange for being able
to avoid 2822 domain forgery.  That seems like a reasonable trade-off, and I
invite anyone to make a compelling case against it, as it is a very
important issue and we need to get it right.

--

Seth Goodman


<Prev in Thread] Current Thread [Next in Thread>