On Fri, 20 May 2005, David MacQuigg wrote:
Does it require some new authentication method, or can we trust it to
really be the sending MTA's Declaration of Identity?
No, we can't trust it. Any MTA can say anything they want - just like
with the other identities we already have.
Nothing in the ID command is hearsay. You didn't get the information from
someone else. You can't claim that using someone else's ID was an innocent
You have proposed nothing that would allow you to check whether I am
lying about any name I make up for the ID identity.
With an ID command, the border guard says - Give me an ID that authorizes
you to cross this border!! Present a false ID, and you are in trouble.
How would you know whether it is a false ID?
There is a huge black market business in manufacturing false IDs - both
physical and virtual. In a newletter I received on illegal immigration, a
Congressman claimed he had instructed his staff to steal his identity (to see
how difficult it was). A fake drivers license was $15.
The whole point of SPF is providing a way to check the MAIL FROM ID. There is
no existing or yet proposed method of checking your new ID type.
Microsoft is closer with their PRA ID type. At least they have
*proposed* a checking method, and can force their large customer
base to implement it.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.