spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Declaring an Identity

2005-05-20 14:19:29
from [David MacQuigg] [Permanent Link] 
At 12:07 PM 5/20/2005 -0500, wayne wrote:
In <5(_dot_)2(_dot_)1(_dot_)1(_dot_)0(_dot_)20050519171542(_dot_)00c03c28(_at_)pop(_dot_)mail(_dot_)yahoo(_dot_)com> David MacQuigg <david_macquigg(_at_)yahoo(_dot_)com> writes: 

> OK, let's nail this down.  Here is the example incoming email, with
> the proposed ID command.  Assume you have no prior relationship with
> the sender, so you don't know what authentication method he uses.
>
>     EHLO  mailserver7.bigforwarder.com
>     ID  bigforwarder.com
> MAIL FROM:<<mailto:bob(_at_)sales(_dot_)some-company(_dot_)com>bob(_at_)sales(_dot_)some-company(_dot_)com> 
>
> Without the ID command, you will waste a bunch of DNS queries and
> possibly conclude this sender offers no authentication.


<end of discussion on DNS queries>
<start discussion on possible abuse of ID command>


The problems with trusting the sender to tell you what you should
check was just discussed by you and me on the ietf-822 list a few days
ago.  It was a bad idea there and then, it is still a bad idea here
and now.  I will not repeat on spf-discuss what has already been said
on ietf-822.
This was a discussion on Hector's suggestion to add a bunch of options to the ID command, specifying which authentication methods to use. Wayne pointed out that none of that information could be trusted. I agreed, but said that I would still support Hector's proposal in the interest of compromise. We need to do a DNS query anyway, and if the methods called for in that query contradict the information in the ID command, we can ignore the methods in the ID command. 

Apparently we didn't finish this discussion.


The idea of creating a new identity for the sole purpose of
authentication has been discussed before.  In particular, Meng
proposed that the "submitter" identity should be turned around.
Instead of the identity given by the submitter parameter having to
match the PRA as determined by the headers, the MTA should make sure
that the appropriate headers are added so that it matches.


SUBMITTER would work if they didn't overload it with PRA stuff.  What a shame!!


This idea didn't get a lot of support, but I encourage you to read the
MARID list archives to learn what was discussed previously.
The issue is simple and should not require digging through the MARID archives. Please refer to my discussion with Stuart - Is the ID command hearsay? 

--
Dave
************************************************************     *
* David MacQuigg, PhD     email: david_macquigg at yahoo.com     *  *
* IC Design Engineer            phone:  USA 520-721-4583      *  *  *
* Analog Design Methodologies                                 *  *  *
*                                 9320 East Mikelyn Lane       * * *
* VRS Consulting, P.C.            Tucson, Arizona 85710          *
************************************************************     *
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Is the ID command hearsay ?, Stuart D. Gathman
Next by Date:  Re: What to do about redirect= and NXDOMAIN?, Stuart D. Gathman
Previous by Thread:  Re: Declaring an Identity, wayne
Next by Thread:  Block: pobox.com (fwd), william(at)elan.net
Indexes:  [Date] [Thread] [Top] [All Lists]