spf-discuss
[Top] [All Lists]

For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean

2005-05-17 12:37:45
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Julian 
Mehnle
Sent: Tuesday, May 17, 2005 11:33 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] People keep misunderstanding what "Pass" and
"Neutral" mean


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Kitterman wrote:
Does ...client is authorized... mean that is authorized to send __THIS__
message?

Does ...client is authorized... mean that is authorized to messages, but
makes no statement about the authorization of __THIS__ message?

As I said, it means that the calling MTA is generally authorized 
to use the 
identity in question.  Neither of the above definitions of yours really 
describes the point of SPF.  Or perhaps I'm just misunderstanding what you 
are saying.

Here is the current definition:

2.5.3.  Pass

   A "Pass" result means that the client is authorized to inject mail
   with the given identity.  Further policy checks, such as reputation,
   or black and/or white listing, can now proceed with confidence in the
   identity.

If I read the first sentence by itself, I think it means authorized, but not 
necessarily authentic.  Thus it would not be a suitable basis for reputation.

By including the second sentence in the definition, I infer that PASS must mean 
both authorized and authentic because that's necessary for reputation.

So, I think the paragraph as written is confusing.  Now I don't know which is 
the right answer.  I think SPF has been back and forth about this over time.  I 
do think that we need to clear it up one way or another for the RFC.  I propose 
that the council pick one of two options (or some variation thereof):

a.  2.5.3.  Pass

   A "Pass" result means that the client is authorized to inject mail
   with the given identity.  Further determnination is required to 
   find out if the message is authentic before policy checks, such as 
   reputation, or black and/or white listing, can proceed.

b.  2.5.3.  Pass

   A "Pass" result means that the client is authorized to inject mail
   with the given identity and that the message may be treated as
   authentic.  Further policy checks, such as reputation,    or black 
   and/or white listing, can now proceed with confidence in the 
   identity.

Option a lets shared MTA users say PASS instead of NEUTRAL.  It also makes it 
pretty well impossible to get beyond anti-forgery and in to anti-spam with SPF.

Option b means shared MTA users subject to cross-customer forgery ought not use 
PASS, but that SPF can be used as a leverage into domain based reputation.

As per usual, I will support whatever the Council decides.  I would like it 
clarified one way or the other.  I think getting the clear and correct is very 
important.

Scott K


<Prev in Thread] Current Thread [Next in Thread>