-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alex van den Bogaerdt wrote:
On Fri, Jun 03, 2005 at 02:35:38AM +0200, Julian Mehnle wrote:
SPF authorizes IP addresses. Of course this does not mean that SPF
authenticates IP addresses. SPF is supposed to authenticate
_domains_.
That's where we disagree. SPF _authorizes_ hosts to use domains.
I never said anything to the contrary.
SPF is not: is this example.org
SPF is not: is this mail.example.com
SPF is: is mail.example.com allowed to say ...
I never said anything to the contrary.
Just because the concepts of authorization and authentication are not
identical and SPF includes the concept of authorization, that does not
mean that SPF cannot also include the concept of authentication.
Nor does it mean it can. This proves nothing.
It wasn't meant to prove anything, but to counter your similar statement
(see the context in the message where I wrote it).
I always thought that authenticity was all about being able to take
something for what it appears to be.
Indeed it does. The host appears to be "mail.example.com", but is it
authorized to say "mail from: user(_at_)example(_dot_)org" ? It certainly
doesn't appear to be "example.org", does it?
Of course it doesn't. That's not what the MAIL FROM command says. The
HELO command claims the identity of the MTA. The MAIL FROM command claims
the identity of the _sender_.
Is this something that can theoretically be authenticated, based on the
domain owner's definition of "authentic", or is it not?
You can't apply reputation without being sure that the identity at
hand can be considered authentic.
Oh? Why not?
Because reputation of some identity is all about holding the identity
responsible for its actions. How can I do that if the identity owner is
able to claim that he authorized the use of the identity for the action,
but that the use was "not authentic"?
What's that supposed to mean?
Remember what you said before:
| > I always thought that authenticity was all about being able to take
| > something for what it appears to be.
|
| Indeed it does.
So, are you saying that I can apply reputation to an identity _without_
being sure that the identity was used with its owner's consent?
That would be like you blacklisting mehnle.net because spammers have
joe-jobbed me multiple times.
So I stick to my point: You can't apply reputation without being sure that
the identity at hand can be considered authentic.
example.org TXT "v=spf1 mail.example.com -all"
All spam/virus/other from any(_at_)example(_dot_)org sent by mail.example.com
will damage example.org's reputation.
But only if we define "Pass" in a way such that it implies authenticity.
Otherwise, a bad reputation for example.org may be unjustified, see my
deliberations above.
Does it matter if it was or was not example.org submitting that message?
No. example.org trusts mail.example.com
Making it explicit, this trust means: "example.org trusts mail.example.com
not to allow cross-customer forgeries". Which is the same as asserting
authenticity.
and if this trust is misplaced, example.org does something wrong and
earns the bad reputation if it continues to use mail.example.com.
Reputation is not damaged if a single bad message is sent. Shit happens.
Reputation is damaged if large quantities of bad mail are sent and/or
this abuse lasts long.
[...]
True, but besides the point.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCn7mKwL7PKlBZWjsRAjeDAJ9HAVMEJ9IhNvPGQOMv4VXrmLcivwCfZz3D
EmAaJNyeBXmthubwdrIBluE=
=2SbG
-----END PGP SIGNATURE-----