spf-discuss
[Top] [All Lists]

RE: Authentication vs. Authorization

2005-05-21 22:49:37

-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of wayne
Sent: zondag 22 mei 2005 5:58
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Authentication vs. Authorization



In <200505211702(_dot_)55793(_dot_)bulk(_at_)mehnle(_dot_)net> Julian Mehnle
<bulk(_at_)mehnle(_dot_)net> writes:

Bill Taroli wrote:

| 2.5.3.  Pass
|
|    A "Pass" result means that the client is authorized to
|    inject mail with the given identity. Further policy checks,
|    such as reputation, or black and/or white listing,
|    can now proceed with confidence in the identity.

Therefore I think we should adopt Scott Kitterman's proposal:

| 2.5.3.  Pass
|
|    [same as above]  The domain used in the given identity
|    accepts responsibility for messages from the client. Further
|    identity base [same as above]

Wayne, what do you think?

I think that "accepts responsibility" is a loaded term that will scare
away people from publishing SPF records. Does that mean that the
domain owner must accept all responsiblity for any illegal, immoral or
unethical behavior that the MTA owner and/or user of that MTA may do?

I fully agree; "accepts responsibility" is a term fraught with legal
pitfalls. Not to mention that 'accepts responsibility for the message' and
(the perhaps more appropriate) 'accepting responsibility for the use of
the domain name' are two entirely different things, -- legally, I mean.

Also, perhaps a nitpick, but a "domain" is not itself a 'legal
person' that can take responsibility for anything; a 'domain owner',
however, is.

A small emendation would fix the 'legal' problem:

    2.5.3.  Pass

    [same as above] The domain owner vouches for the authorized
    use of the domain used in the given identity.

Except, of course, that this wording is awfully reminiscent of the
preceding "A 'Pass' result means that the client is authorized to inject
mail with the given identity." Which leads me to believe that we might
then just as well drop the whole "accepting responsibility" bit.

- Mark 
 
        System Administrator Asarian-host.org
 
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx


<Prev in Thread] Current Thread [Next in Thread>