spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: People keep misunderstanding what "Pass" and "Neutral" mean

2005-05-17 09:08:18
from [Scott Kitterman] [Permanent Link] 
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Julian 
Mehnle
Sent: Tuesday, May 17, 2005 11:33 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] People keep misunderstanding what "Pass" and
"Neutral" mean


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Kitterman wrote:

Does ...client is authorized... mean that is authorized to send __THIS__
message?

Does ...client is authorized... mean that is authorized to messages, but
makes no statement about the authorization of __THIS__ message?


As I said, it means that the calling MTA is generally authorized 
to use the 
identity in question.  Neither of the above definitions of yours really 
describes the point of SPF.  Or perhaps I'm just misunderstanding what you 
are saying.


I think that this is a point of much confusion.  

I hear what you are saying.  That was the way I read the specs too, but when I 
have suggested that in the past, I've been shot down.

IIRC, Doug Otis has accused SPF of artificially and incorectly conflating 
Authorization and Authentication.  His point seems to be that all you can tell 
from SPF is that the MTA in question is authorized to send on behalf of the 
domain, not if the message itself is an authentic message sent by the domain.

SPF proponents disagreed with him.  The basic idea being that it was up to the 
MTA operator to only send authentic messages for the domain, so that authorized 
~= authentic, or good enough for something that's deployable now.

The question about how we get from anti-forgery to supporting anti-spam is 
where this gets important.  

If PASS means authorized, but not necessarily authentic, then I don't think SPF 
mail from is a suitable basis for reputation.

If PASS means authorized and should be treated as if it's authentic, then you 
can use if for reputation.  

I think that the current (and long standing) language of the various specs can 
and has been interpreted both ways.

Given that Meng put the domain based RBL idea on spf.pobox.com, I thin it's 
clear that he, at least when he put that up, was in the authorized and treat it 
like it's authentic camp.

If people keep misunderstanding (to take us back to the subject), I think it's 
because the spec is open to interpretation.

I'm not taking a side on this.  I can see it either way.  I do think that 
authorized and treat it like it's authentic has been the predominant view for 
some time.  

Does that clear up my perspective for you?

Scott K
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Don't forget the economics., Daniel Taylor
Next by Date:  Re: Time to start rejecting on neutral?, Hector Santos
Previous by Thread:  Re: People keep misunderstanding what "Pass" and "Neutral" mean, Julian Mehnle
Next by Thread:  Re: People keep misunderstanding what "Pass" and "Neutral" mean, John A. Martin
Indexes:  [Date] [Thread] [Top] [All Lists]