In
<16799(_dot_)20796(_dot_)663559(_dot_)56047(_at_)giles(_dot_)gnomon(_dot_)org(_dot_)uk>
Roy Badami <roy(_at_)gnomon(_dot_)org(_dot_)uk> writes:
Sendmail Inc have released a white paper entitled "Sender
Authentication Deployment Recommendations"
http://www.sendmail.net/tools/Sendmail_Auth_Reco_wp.pdf
Rand:
I read your recent white paper on email authentication. In general, I
liked it and I think it will be a useful guide to many. I do,
however, have a number of questions about the paper. Would you be
able to answer the questions, or pass them on to whoever authored the
paper?
Thanks.
Page 1:
* Could you proved some more detailed results of the "extensive
testing under real-world deployment scenarios"? That would be
extremely useful to many people, even if it is in a very rough
format.
Page 4
* SPF validates the Return-Path: header, which *is* usually available
to the end-user, although not usually visible. The Resent-* headers
that Sender ID validates are *not* any more user-visible than the
Return-Path: header.
Why does the paper claim that the Return-Path: header is not visible
while the Resent-* headers are?
* What incompatibliites to end-to-end cryptographic authentication
systems does SRS cause? I know of none.
* Why is only mention DK, but not IIM or SES?
Page 5
* Why do you think that crypto solutions are "more reliable" than
SPF? Can you share any data backing up this claim?
* Why do you recommend mailing lists modify the MAIL FROM addresses to
make sure they are properly authrorized, but you do not recommend
that mail forwarders do the same? Any modification to the MAIL FROM
address by mailing lists cause the same problems as for forwarders,
so the recommendations should be the same.
-wayne