On Tue, Apr 12, 2005 at 10:45:46AM -0700, David MacQuigg wrote:
My sense of the spirit behind this objection is that the IETF wants to
maintain neutrality between the competing methods. Clearly that can't be
done for every item in a spec on SPF, but I think it can for this
item.
SPFv1 records beginning with "v=spf1 " can't be reliably used for
non-(mailfrom, helo) testing for all domains, and thus recipients
doing so must not be considered to be compliant with the spec.
That spec must reflect that in one way or another.
I see no way to be neutral here.
Hehe, meta-argument:
I claim: "The spec MUST reflect that in one way or another."
Do others claim: "The spec SHOULD reflect that in one way or another."?
:-)
What if we added words like:
A sender must flag an identity in one of the existing email commands, or it
may add a new one. To flag an identity, put the string *ID* after the
declared name.
"Officer, here are my ten separate passports for this country alone, and
here is the single one that I want you to examine for authenticity."
The SMTP model we're working under doesn't have us using or designing an
authentication-method negotiation system between the sender and
recipient. If we were free to alter SMTP, we could add some sort of
authentication and authentication-method negotiation, (maybe even doing
some type of really cool zero-knowledge proof stuff), but we don't have
the freedom to do that at the moment.
So since we're using the existing SMTP protocol, the sender is going to
be presenting all their potential credentials anyway, which means that
there's no advantage to the recipient in listening to any preferences the
sender tries to say about which credentials he'd prefer the recipient
examine, and which ones he'd prefer the recipient didn't examine.
The sender should have no input whatsoever in how the recipient decides
to authenticate the credentials that the sender can't help supplying.
--
Mark Shewmaker
mark(_at_)primefactor(_dot_)com