At 12:07 PM 5/20/2005 -0500, wayne wrote:
In <5(_dot_)2(_dot_)1(_dot_)1(_dot_)0(_dot_)20050519171542(_dot_)00c03c28(_at_)pop(_dot_)mail(_dot_)yahoo(_dot_)com> David MacQuigg
<david_macquigg(_at_)yahoo(_dot_)com> writes:
> OK, let's nail this down. Here is the example incoming email, with
> the proposed ID command. Assume you have no prior relationship with
> the sender, so you don't know what authentication method he uses.
>
> EHLO mailserver7.bigforwarder.com
> ID bigforwarder.com
> MAIL
FROM:<<mailto:bob(_at_)sales(_dot_)some-company(_dot_)com>bob(_at_)sales(_dot_)some-company(_dot_)com>
>
> Without the ID command, you will waste a bunch of DNS queries and
> possibly conclude this sender offers no authentication.
<end of discussion on DNS queries>
<start discussion on possible abuse of ID command>
The problems with trusting the sender to tell you what you should
check was just discussed by you and me on the ietf-822 list a few days
ago. It was a bad idea there and then, it is still a bad idea here
and now. I will not repeat on spf-discuss what has already been said
on ietf-822.
This was a discussion on Hector's suggestion to add a bunch of options to
the ID command, specifying which authentication methods to use. Wayne
pointed out that none of that information could be trusted. I agreed, but
said that I would still support Hector's proposal in the interest of
compromise. We need to do a DNS query anyway, and if the methods called
for in that query contradict the information in the ID command, we can
ignore the methods in the ID command.
Apparently we didn't finish this discussion.
The idea of creating a new identity for the sole purpose of
authentication has been discussed before. In particular, Meng
proposed that the "submitter" identity should be turned around.
Instead of the identity given by the submitter parameter having to
match the PRA as determined by the headers, the MTA should make sure
that the appropriate headers are added so that it matches.
SUBMITTER would work if they didn't overload it with PRA stuff. What a shame!!
This idea didn't get a lot of support, but I encourage you to read the
MARID list archives to learn what was discussed previously.
The issue is simple and should not require digging through the MARID
archives. Please refer to my discussion with Stuart - Is the ID command
hearsay?
--
Dave
************************************************************ *
* David MacQuigg, PhD email: david_macquigg at yahoo.com * *
* IC Design Engineer phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. Tucson, Arizona 85710 *
************************************************************ *