From: Chris Haynes
Sent: Tuesday, October 26, 2004 2:53 AM
"Seth Goodman" asserted:
<snip>
This would all be a lot simpler if we could build two simple
requirements
into any _future_ authentication standard that go beyond RFC2476:
1) The MSA MUST authenticate all users and MUST NOT accept
submissions from unauthenticated users.
2) The MSA MUST reject any message with an originator identity that the
MSA cannot ascertain the authenticated user has the rights to use.
In the last few days of MARID (which was a bad idea, since
everyone's attention was by then on the politics, not on the
technology) I proposed a scheme in which:
1) The MSA included a marker in the 8221-phase declaring that it
_had_ done the above checks,
2) SPF had a new modifier which declares:
- if the MSA 'sender-validated' marker is present then test
results for messages eminating from that host may 'PASS', if that
is what the rest of the policy resolves to.
- If the 'sender-validated' marker is not present, then the test result is
limited to NEUTRAL at best (i.e. it acknowledges that unauthorised
entities could have used the address).
With or without the 'sender-validated' marker, you still depend on your
provider to configure itself and act properly. It appears that they are
just as likely to be misconfigured and use the marker when then shouldn't,
or fail to use the marker when they should, as to fail to update their
published sending policy. Since your provider runs their MSA from day to
day, and may change policy at any time, sometimes as an unintentional side
effect, it seems that you are in the same position in either case (they use
your marker proposal or they publish sender policy as part of their SPF
record). That is the nature of being a customer of an ISP and not running
your own server. This is unfortunate, but all we can do is make our wishes
known to our providers, and if they fail to listen, or fail to do what they
claim, vote with our feet, if possible, and find a new provider.
My concern was for those of us who have to use a shared outbound
MSA over which we have no control.
Suppose my ISP were to declare a policy that it was henceforth
intending to do just what Seth lists above.
If I publish a '+' against that ISP's servers (and don't have the
protection of a scheme such as the one above), and they then:
- change their policy,
- mis-configure their servers,
- lost contact with the associated authorities database yet carry
on sending, -etc, etc, it is my '+' policy declaration which is
compromised without my knowledge or ability to detect.
My question is why are they any more likely to apply the mark appropriately
if they misconfigure their servers than to adjust their published sending
policy? We are talking about a misconfiguration, a mistake, in both cases.
Why is one mistake more likely than the other?
If the marker disappears from any particular message, the
modifier in my policy would say "convert a '+' result into a '?'".
If people are interested I could re-post the detailed proposal
here. Actually it would be a re-work of my original plan, as since
then I've thought of a better way to aid migration.
I'd be interested in seeing it.
--
Seth Goodman