-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'll give my opinion not as a council member, but as an individual.
Mark wrote:
In a nutshell, we would like to solicit your position on whether SPF can
be said to 'authenticate' the identity on "pass", or wether the
connecting client can only be considered 'authorized' to use the
identity. Where "authentic", in this context, means: "not forged".
Roughly, there are two main positions:
1): If the cross-user forgery thing is the only issue that keeps us from
asserting authenticity, we should instead find a way to make it clear to
publishers that they must assume responsibility if they authorize an
MTA. Therefore, the following wording remains applicable:
"can now proceed with confidence in the identity".
It may have become apparent that I subscribe to the idea that SPF "Pass"
should assert _authentic_ use of the identity, and that only identity
owners can (and must) define what constitutes a "forgery" of their
identity.
Therefore, where sufficient security against forgery (as defined by the
domain owner) is difficult to achieve (such as with shared MTAs that do
not protect against cross-user forgery[1] -- are there other cases?),
domain owners should choose either to accept responsibility for
illegitimate uses of the domain name, or not to authorize insecure MTAs.
I think it is reasonable to require domain owners to choose between these
two options. And if we do that, we can define "Pass" to assert
authenticity.
In the same vein, we would also like to know whether the domain owners
among you assumed that receivers would take SPF-verified identites as
'authentic' (position 1) or just as 'authorized' (position 2) when they
published their policies.
To be honest, I do not use shared MTAs, therefore it is easy for me to
accept responsibility for the use of my domain names. Also, I would like
for receivers to be able to treat "Pass"ed uses of my domain name as
authentic.
We feel the issue is important; especially so if reputation-checks are
to become a more pronounced part of SPF.
Accepting responsibility for the authorized use of a domain name means that
reputation can be applied. If we choose for "Pass" not to assert
authenticity, we cannot honestly suggest that people base reputation on
"Pass"ed domaines. I think that would be a great loss in the value of
SPF.
References:
1.
http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02pre1.html#cross-user-forgery
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCn0dqwL7PKlBZWjsRAt9eAJ9I0QiwByF2+wNkQKADaebNae/jlQCg12m7
JuuBv4XB0rfclGFb/yDGxiM=
=aB1x
-----END PGP SIGNATURE-----