spf-discuss
[Top] [All Lists]

Re: Request for Input on the meaning of "pass".

2005-06-02 19:31:18
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wayne Schlitt wrote:
[...] I think that venturing anywhere near the idea of "accepting
responsibility" will scare away some publishers, and do nothing to
actually hold abusive senders accountable.

Do you think that DomainKeys/IIM is doomed to fail for the same reason?  
AFAIK, its key point is to assert authenticity (and thus responsibility).

I think there will always be a struggle over how to interpret the SPF
results.  Receivers will push for more accountability and stricter
requirements.  They will reject on Neutral/None, and try to hold
senders accountable for the smallest abuses from anything other than
Fail.  Senders will try to maximize the chances that their messages
get delivered and try to avoid the really costly steps needed to make
sure abuse never happens.

Are you saying that, in any case, everybody is going to act as if asserting 
"Pass" meant accepting responsibility?  If so, what's the point of 
pretending that it doesn't?

I actually somewhat like of like the mengwong-spf-* definitions of Pass:

     Pass (+): the message meets the publishing domain's definition of
     legitimacy.  MTAs proceed to apply local policy and MAY accept or
     reject the message accordingly.

This is actually somewhat of a tautology.  The Senders and Receivers
can argue all they want over what "legitimacy" means,

No, they can't, and incidentally that's also the very reason why I, too, 
like the wording.  Only the domain owner, as the authoritative authority 
(hint, hint), can define what constitutes "legitimacy", "forgery", 
"authenticity", etc.  And the sender really doesn't have to care about 
exactly _how_ those are defined.

When I read that definition of Pass, I don't see it saying "authentic"
at all, but Julian does.

As far as I can see, what my understanding and your understanding of the 
mengwong-spf-* definition have in common is that we both accept that the 
domain owner declares consent to being treated as responsible (in the 
sense of typical reputation systems) by the receiver for "Pass"ed uses of 
the domain.

You (and Meng) call it "legitimacy".  I call it "authenticity".  But it is 
really all the same.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCn8D2wL7PKlBZWjsRAnRpAJ9n3/cv/ZWO4CEUv4FRth6deiIsbwCfXh6B
1QtaqXGaL/RRpq5QIcs28xQ=
=DlL2
-----END PGP SIGNATURE-----