On Thu, Nov 04, 2004 at 12:00:13AM +0100, Frank Ellermann wrote:
|
| BTW, did you know that PRA is technically FUBAR ? Bye, Frank
|
credit card numbers are a token subject to replay attacks
and practically zero security, and credit card fraud adds up
to losses in the gazillions of dollars. the correct way to
do credit cards is obvious to anyone with security training,
yet people are quite happy with the security tradeoffs.
the worst-case scenario under SPF is that legitimate
forwarded mail is rejected because the forwarder doesn't do
SRS.
the worst-case scenario under PRA is that legitimate mailing
list (and forwarded mail) is rejected because PRA is, as you
say, fubar.
but they are qualitatively within the same range of
fubarness, and in fact those problems are less fubar than
credit cards. so i'm not sure how we can defend SPF
Classic's fubaredness wrt forwarding, and attack PRA wrt
mailing lists. that's like the small pot calling the big
kettle black.
that said, i still dont' think the worst case scenario will
transpire for PRA because all the talk I've heard so far
says that people are going to use Sender ID and SPF Classic
more for whitelisting than for rejection for a long long time.