spf-discuss
[Top] [All Lists]

RE: For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean

2005-05-18 03:34:47

-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com 
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Scott 
Kitterman
Sent: dinsdag 17 mei 2005 21:38
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] For SPF Council review - PASS 
Definition - was: People keep misunderstanding what "Pass" 
and "Neutral" mean


Here is the current definition:

2.5.3.  Pass

   A "Pass" result means that the client is authorized to inject mail
   with the given identity. Further policy checks, such as
   reputation, or black and/or white listing, can now proceed with
   confidence in the identity.

So, I think the paragraph as written is confusing.  Now I
don't know which is the right answer. I think SPF has been
back and forth about this over time. I do think that we need
to clear it up one way or another for the RFC..  I propose
that the council pick one of two options (or some variation thereof):

a.  2.5.3.  Pass

   A "Pass" result means that the client is authorized to inject mail
   with the given identity. Further determination is required to
   find out if the message is authentic before policy checks, such as
   reputation, or black and/or white listing, can proceed.

b.  2.5.3.  Pass

   A "Pass" result means that the client is authorized to inject mail
   with the given identity and that the message may be treated as
   authentic. Further policy checks, such as reputation,  or black
   and/or white listing, can now proceed with confidence in the
   identity.

Like I said earlier today, just because someone is authorized to use a
relay X, does not mean message Y, sent through relay X, is, for this
reason, authentic. If only it were that simple; then we would never have
to worry about signing messages any more. :) Variant "b", therefore, IMHO,
cannot stand.

As for Variant "a", policy checks, such as black and/or white listing
(based on IP address, or dynamic looking PTR, etc.) can always proceed,
regardless of the SPF-check outcome. Variant "a", I feel, is, therefore,
too restrictive.

As for authenticity of identity Y, since the client may be authorized to
use other identities as well ("client" not referring to person, but to the
relay and its IP address, of course), the given identity, without
further scrutiny, should really only be considered 'co-ordinately'
authentic.

Perhaps something like this:

2.5.3.  Pass

    A "pass" result means the client is authorized to inject mail with
    the given identity. Since the client may be authorized to use other
    identities as well, the given identity should be considered authentic
    only in that the client may use it. Further checks may be required
    to determine the authenticity of the message as a whole.

Regards,

- Mark 
 
        System Administrator Asarian-host.org
 
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx


<Prev in Thread] Current Thread [Next in Thread>