-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Julian Mehnle wrote:
--- draft-schlitt-spf-classic-01pre5.xml
+++ draft-schlitt-spf-classic-01pre5+mehnle_cross-customer_forgery.xml
[...]
@@ -2015,4 +2018,23 @@
</t>
</section>
+ <section title="Cross-User Forgery" anchor="cross-user-forgery">
+ <t>
+ By definition, SPF policies just map domain names to sets of
+ authorized MTAs, not entire e-mail addresses to sets of
+ authorized users. Although the "l" macro (<xref
+ target="macros"/>) provides a limited way to define
+ individual sets of authorized MTAs for specific e-mail
+ addresses, through SPF it is generally impossible to
+ authenticate the use of specific e-mail addresses by
+ individual users of the same MTA.
+ </t>
s{through SPF it is generally impossible to authenticate}
{it is generally impossible to authenticate, through SPF,}
+ <t>
+ It is up to mail services and their MTAs to directly
+ prevent cross-user forgery: based on SMTP AUTH (<xref
+ target="RFC2554"/>), users should be restricted to use only
+ those e-mail addresses that are actually under their control.
+ Another means to authenticate the identity of individual
+ users is message cryptography such as PGP or S/MIME.
+ </t>
+ </section>
s/restricted to use/restricted to using/
<section title="Spoofed DNS and IP Data">
<t>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCg3wWwL7PKlBZWjsRAvhIAKCyoGFiAwPc3TKNMgbPDQLG1OaWDACgq130
qiwhuM7iQr9DYne838/Wko8=
=JVBx
-----END PGP SIGNATURE-----