-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of
Julian Mehnle
Sent: vrijdag 3 juni 2005 1:47
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Request for Input on the meaning of "pass".
Mark wrote:
The record, for sure, would be 'authentic'; the object of
that record, however, would not be; which is to say, "op=MTA is
trusted to handle only my domain" may be an authentic record, but
the domain owner cannot> speak for the MTA in that fashion.
Yes, it can. Just like the domain owner can speak for all
MTAs in the world by saying "v=spf1 +all", which is a valid
policy, isn't it?
There is a vast difference between saying: "I, the domain owner, trust all
MTAs" (which "v=spf1 +all" implies) and saying: "I, the domain owner,
assert that this or that MTA prevents cross-user forgery."
If the domain owner wants to express trust in the MTA, why can't he
do that?
He can express trust in the MTA alright; the domain owner is just not in a
position to claim what anti-forgery mechanisms said MTA has installed. To
make it concrete, saying "I, the domain owner, trust AOL to handle my
mail" is complete valid in SPF (read: may be considered an 'authentic'
claim). But it would be outlandishly out-of-line for the domain owner to
assert: "I, the domain owner, claim AOL has cross-user forgery protection
in place to guarantee the authenticity of my vanity domain." Such claims,
as the latter, I hope no person would ever accept but from the
MTA itself.
And why should a receiver not believe in what the domain owner
said? After all, it is beyond the domain owner's power to
diminish the reputation of any domain except of his own.
'Authenticity' and 'taking someone on his word' may well overlap, but they
are not exactly synonymous, of course. 'Authentic' really just means you
have established, from technical means, that the identity is not forged
(barring hacked DNS and such). To say that "pass" makes an identity
authentic just because I should have no reason to disbelieve the claim, is
like saying: "The identity is authentic because you must trust me to
believe it is authentic." That logic, to me, does not compute.
Only the MTA itself could provide such a mechanism.
No, because the MTA may have an interest in making false
assertions about its own security.
That may be; and it would be a foolish thing for the MTA to assert this.
Nevertheless, the receiver can only consider such claim to be 'authentic'
if it came from the MTA in question -- I am not talking about the
truthfulness of that claim. That principle is at the heart of SPF: we only
take the domain owner's word for who he authorizes. Conversely, only the
MTA can speak for the MTA.
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx