spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean

2005-05-17 21:25:32
from [wayne] [Permanent Link] 
In <NGBBLEIJOEEEBMEIAPBKGEKKIBAA(_dot_)scott(_at_)kitterman(_dot_)com> Scott 
Kitterman <spf2(_at_)kitterman(_dot_)com> writes:


Here is the current definition:

2.5.3.  Pass

   A "Pass" result means that the client is authorized to inject mail
   with the given identity.  Further policy checks, such as reputation,
   or black and/or white listing, can now proceed with confidence in the
   identity.

If I read the first sentence by itself, I think it means authorized,
but not necessarily authentic.  Thus it would not be a suitable
basis for reputation.

By including the second sentence in the definition, I infer that
PASS must mean both authorized and authentic because that's
necessary for reputation.

So, I think the paragraph as written is confusing.  Now I don't know
which is the right answer.  I think SPF has been back and forth
about this over time.  I do think that we need to clear it up one
way or another for the RFC.  I propose that the council pick one of
two options (or some variation thereof):



As others have mentioned, the subject of "authorization" vs
"authentication" vs "validation" vs ... has been discussed many times,
both here and on the MARID list.  I expressed my view on this subject
several times, but Meng didn't apply my suggested changes and the
draft remains pretty much as Meng had it.


Here are my thoughts on the subject:

* In the "security field" there are apparently very exact defintions
  of "authorize" and "authentic", along with terms like
  "credentials".  Despite reading the arguments from several people
  who all claimed to understand these terms, I never quite groked
  them. 

* The term "authorize" is used throughout the document and appears
  to generally mean both "authorize" and "authentic".

* Changing *just* the terminology in the "Pass" definition will
  probably cause more confusion than it solves.  

* Changing *all* the terminology to what we might think is the
  "correct" language will probably bring the rath of the Security
  Experts down on us.  It will also likely be a lot of work to make
  consistent.

I tend to think that, if we do anything with this, that we should put
an explanation in the "Terminology" section explaining what we mean by
the term "authorize".

To make things somewhat easier, in the -01pre7 draft, I have changed
the few places that use the term "authentic" to "authorize".  These
references were almost always from recent changes.


Basically, this looks like a can of worms to me and I'm very reluctant
to touch it.


-wayne
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean, Bill Taroli
Next by Date:  Re: Re: What to do about redirect= and NXDOMAIN?, wayne
Previous by Thread:  Re: For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean, Alex van den Bogaerdt
Next by Thread:  Re: For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean, william(at)elan.net
Indexes:  [Date] [Thread] [Top] [All Lists]