-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark wrote:
[...] the domain owner is just not in a position to claim what anti-
forgery mechanisms said MTA has installed. To make it concrete, saying
"I, the domain owner, trust AOL to handle my mail" is complete valid in
SPF (read: may be considered an 'authentic' claim). But it would be
outlandishly out-of-line for the domain owner to assert: "I, the domain
owner, claim AOL has cross-user forgery protection in place to guarantee
the authenticity of my vanity domain."
But that's not what a domain owner would have to do. Instead, he would
assert: "I, the domain owner, trust AOL not to allow anyone to use my
domain for whose actions I will not accept responsibility with regard to
my domain's reputation", or in other words: "I accept responsibility with
regard to my domain's reputation for all mail that AOL allows to use my
domain".
And why should a receiver not believe in what the domain owner
said? After all, it is beyond the domain owner's power to
diminish the reputation of any domain except of his own.
'Authenticity' and 'taking someone on his word' may well overlap, but
they are not exactly synonymous, of course. 'Authentic' really just
means you have established, from technical means, that the identity is
not forged (barring hacked DNS and such).
No one has defined "forged" so far. Except for Dennis Willson, who seems
to think of the ideal, but practically useless, meaning "the user hasn't
typed the message into the keyboard himself".
To say that "pass" makes an identity authentic just because I should have
no reason to disbelieve the claim
I have not said that.
What I am saying is that, unless we want to overload "Pass" with the
meaning of "Neutral" (and then consequently get rid of "Neutral"), there
is no meaningful difference between...
| The owner of domain X authorizes IP address Y to use the domain X.
...and...
| The owner of domain X declares that every use of domain X by IP address Y
| shall be considered authentic.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCn6oywL7PKlBZWjsRAgJ1AJ9F6UWDuhca99FbOjg7EH0debZ/PgCg2hy8
pr9N3ASljTstCd/HSFXUs30=
=2Yek
-----END PGP SIGNATURE-----