Re: Authentication vs. Authorization

Julian Mehnle wrote:

[...]
SPF, from a strictly technical standpoint, is a method for authorizing(implicitly) authentic IP addresses to use a certain domain name as theidentity. This, in itself, is not equivalent to the authentication of adomain. In order to gain real value from SPF with regard to reputationsystems, we need to somehow bridge the gap from the authorization of IPaddresses to the authentication of domain names.
The only practical and useful way to do this is to require the domain ownerto take responsibility for the cases where authorized IP addresses sendunauthentic (i.e. forged) mail, i.e. requiring them to declare full trustin their outgoing MTAs.
[...]

But isn't an administrator, by virtue of including an MTA (by whichevercriteria they use) in their domain's SPF RR, explicitly taking an actionthat communicates trust in that MTA? To put it another way, unless Ifully trusted that a given MTA would (or could) not be used toimpersonate my domain (or another apparently on my behalf) to conductinappropriate activities then why would I take the dangerous step ofincluding it in my list of trusted senders? I wouldn't, of course.

It seems quite natural and logical, then, that I must takeresponsibility for the MTA's I allow in my SPF record (which makesinclude a tricky proposition, IMHO, particularly across domains). Istake some of my own reputation in the event that one of them abusesthat trust, or wasn't actually worthy of it.


Bill

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

Re: What to do about redirect= and NXDOMAIN?, Bill Taroli

Next by Date:

Re: Results from the SPF council review on I-D issues., Frank Ellermann

Previous by Thread:

Authentication vs. Authorization (was: For SPF Council review - PASS Definition), Julian Mehnle

Next by Thread:

Re: Authentication vs. Authorization, Paul Ficinski

Indexes:

[Date] [Thread] [Top] [All Lists]