-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dennis Willson wrote:
To me, authentication implys proof that the sender is who they say they
are. I use certificates to sign any email that I need to authentication
a specific sender. SPF doesn't authenticate the sender or even the
domain.
Right, SPF generally cannot authenticate the use of sender addresses. It
_authorizes_ the use of _domains_ by IP addresses.
Now, does it _authenticate_ the use of domains?
I think it very well makes sense to say that if an individual is thought of
by the domain owner as being "allowed" to use the domain, then the use of
the domain in any messages by that user can be considered _authentic_.
Now, what does "allowed" mean in practice?
There is a theoretical, ideal concept of "allowed", which means that
exactly those individuals that the domain owner wants should be authorized
to use the domain in question. This, however, cannot be achieved through
SPF because its granularity of authorization is IP addresses, not
individuals.
Then there is a concept of "allowed" that is practical for the purposes of
SPF: the domain owner can authorize IP addresses, meaning groups of users,
to use the domain. If you as a domain owner do not want to authorize some
of the users associated with a certain IP address, and you cannot trust
the IP address to prevent cross-user forgery, then don't authorize that IP
address flat out, "+"-style. That's what "?" (Neutral) is for.
The reason for the problem we're debating is that SPF can only authorize
_groups_ of people to use a certain domain name, or, that SPF can only
authenticate the use of a certain domain name by _groups_ of people.
The reason is NOT that there would be a meaningful difference between...
| entity X is authorized to use the identity Y
...and...
| the use of identity Y by entity X is authentic
There isn't.
If anyone thinks there _is_ a difference, I would be pleased if they could
explain it to me.
(I'm not saying there is no difference between the concepts of "authori-
zation" and "authentication". There _is_ a difference, in the context of
verifying identities (of whatever granularity) it is roughly the same as
that between "write" and "read".)
Dennis Willson wrote:
Also the only assumption I make on receiving an SPF PASS is that it came
from an MTA that has permission (is authorized) to send on their behalf,
but I don't assume it's not forged.
William Leibzon wrote:
The issue is that you don't want to make a confusion by making it appear
that just because the identity being used in email is authorized, that
email message itself is authentic. There is no way to tell that - its
quite possible for another user on the same network (read for zombie host
on the same network ...) to have sent the email, etc.
Again, what's the difference between one being authorized to use a domain
and one's use of a domain being authentic? Are you saying that there are
people who are authorized to use a domain, but whose use of that domain
isn't authentic? In other words, are you saying that the concept of
authorizing people to forge a domain is meaningful?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCn3FtwL7PKlBZWjsRArfAAJ46oYDhbKvvXYMT1FkUxYsUjIajGACfTOu8
uuk7DOs8AxDV0Po2a8Vd0Dk=
=6SGu
-----END PGP SIGNATURE-----