-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of wayne
Sent: Wednesday, May 18, 2005 12:26 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] For SPF Council review - PASS Definition -
was: People keep misunderstanding what "Pass" and "Neutral" mean
In <NGBBLEIJOEEEBMEIAPBKGEKKIBAA(_dot_)scott(_at_)kitterman(_dot_)com> Scott
Kitterman <spf2(_at_)kitterman(_dot_)com> writes:
Here is the current definition:
2.5.3. Pass
A "Pass" result means that the client is authorized to inject mail
with the given identity. Further policy checks, such as reputation,
or black and/or white listing, can now proceed with confidence in the
identity.
If I read the first sentence by itself, I think it means authorized,
but not necessarily authentic. Thus it would not be a suitable
basis for reputation.
By including the second sentence in the definition, I infer that
PASS must mean both authorized and authentic because that's
necessary for reputation.
So, I think the paragraph as written is confusing. Now I don't know
which is the right answer. I think SPF has been back and forth
about this over time. I do think that we need to clear it up one
way or another for the RFC. I propose that the council pick one of
two options (or some variation thereof):
As others have mentioned, the subject of "authorization" vs
"authentication" vs "validation" vs ... has been discussed many times,
both here and on the MARID list. I expressed my view on this subject
several times, but Meng didn't apply my suggested changes and the
draft remains pretty much as Meng had it.
Here are my thoughts on the subject:
* In the "security field" there are apparently very exact defintions
of "authorize" and "authentic", along with terms like
"credentials". Despite reading the arguments from several people
who all claimed to understand these terms, I never quite groked
them.
* The term "authorize" is used throughout the document and appears
to generally mean both "authorize" and "authentic".
* Changing *just* the terminology in the "Pass" definition will
probably cause more confusion than it solves.
* Changing *all* the terminology to what we might think is the
"correct" language will probably bring the rath of the Security
Experts down on us. It will also likely be a lot of work to make
consistent.
I tend to think that, if we do anything with this, that we should put
an explanation in the "Terminology" section explaining what we mean by
the term "authorize".
To make things somewhat easier, in the -01pre7 draft, I have changed
the few places that use the term "authentic" to "authorize". These
references were almost always from recent changes.
Basically, this looks like a can of worms to me and I'm very reluctant
to touch it.
-wayne
OK. Let's not approach it that way then. The key point that I think we
need to get across is that if a domain owner gives an IP a PASS, then they
have agreed to be held accountable for the use of their domain name from
that IP. So, skipping the whole Authorize/Authentic can of worms, how about
something like this:
2.5.3. Pass
A "Pass" result means that the client is authorized to inject mail
with the given identity. The domain used in the given identity
accepts responsibility for messages from the client. Further
identity base policy checks, such as reputation, or black and/or
white listing, can now proceed with confidence in the identity.
I think that clears up what was a point of confusion for me early on and a
long standing ambiguity in the spec. Rather than dance around the idea of
accountability, lets just come out and say it.
Scott K