spf-discuss
[Top] [All Lists]

RE: Request for Input on the meaning of "pass".

2005-06-02 14:38:23

-----Original Message-----
From: Mark [mailto:admin(_at_)asarian-host(_dot_)net]
Sent: donderdag 2 juni 2005 19:22
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] Request for Input on the meaning of "pass".



There is an issue regarding "pass" that we, the SPF Council,
would like to have your opinion on.

I, too, will give my opinion not as a Council member, but as an individual.

    2.5.3. Pass

    A "Pass" result means that the client is authorized to inject mail
    with the given identity. Further policy checks, such as reputation,
    or black and/or white listing, can now proceed with confidence in
    the identity.

2): Even if a publisher chooses to authorize an MTA patched to prevent
cross-user forgery, then, without adding to the spec, there is still
no way for a receiver to know this; so that "pass" can really only mean:

    "can now proceed with confidence in the legitimate use of the
    identity".

Historically, I have always been far more interested in SPF "fail" than in
"pass". That, to me, is still where the real value of SPF lies.

Now. in order to make a positive 'authentic' determination, not only
should cross-user forgery be prevented (which means MTAs need to be
patched), but those MTAs would also need a (trusted!) mechanism to make
known to the receiver that such patches are in place; and since the
current SPF spec offers no way of doing that, I cannot in good conscience
say an SPF "pass" means the identity is 'authentic'. It should therefore
not come as a surprise that I subscribe to position 2.

Also, considering the above, I would like to point out, that finding a
mechanism by which the MTA can tell the receiver it is patched against
cross-user forgery, is in itself no sinecure. Because the receiver would
have to be able to make the determination whether such mechanism itself
were authentic.

The only-ever place, perhaps, where an SPF identity may be said to be
'authentic', is during HELO/EHLO -- provided they produce a "pass", of
course. And this for the simple reason that the HELO/EHLO identity is not
subject to cross-user forgery, and under the sole control of the sending
MTA. Though in the strictest possible sense not even true, I nonetheless
consider a HELO/EHLO identity 'authentic' if it produces an SPF "pass" and
resolves to the IP address of the sending MTA. And since I do most of my
'karma' stuff against such HELO/EHLO identities, I can live with that.

However, since SPF includes (or I should say, is primarily built around)
the MAIL FROM identity, in an overall sense, "pass", to me, really only
can mean the receiver "can now proceed with confidence in the legitimate
use of the identity". Nothing more, nothing less.

- Mark 
 
        System Administrator Asarian-host.org
 
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx