spf-discuss
[Top] [All Lists]

Re: Request for Input on the meaning of "pass".

2005-06-02 19:35:02
On Fri, Jun 03, 2005 at 03:59:38AM +0200, Julian Mehnle wrote:

SPF authorizes IP addresses.  Of course this does not mean that SPF
authenticates IP addresses.  SPF is supposed to authenticate
_domains_.

That's where we disagree.  SPF _authorizes_ hosts to use domains.

I never said anything to the contrary.

You say auth_enticate_ I say auth_orize_.
You say _domains_ I say _hosts_.

SPF is not: is this example.org
SPF is not: is this mail.example.com
SPF is:     is mail.example.com allowed to say ...

I never said anything to the contrary.

<quote>SPF is supposed to authenticate _domains_.</quote>

This matches either the first or the second from my list. In both
cases I say "SPF is not".

Oh?  Why not?

Because reputation of some identity is all about holding the identity 
responsible for its actions.  How can I do that if the identity owner is 
able to claim that he authorized the use of the identity for the action, 
but that the use was "not authentic"?

What's that supposed to mean?

Remember what you said before:

| > I always thought that authenticity was all about being able to take
| > something for what it appears to be.
|
| Indeed it does.

So, are you saying that I can apply reputation to an identity _without_ 
being sure that the identity was used with its owner's consent?

Yes and no.  See next paragraph.

That would be like you blacklisting mehnle.net because spammers have 
joe-jobbed me multiple times.

Only if sent through a host _you_ authorized.  In that case: yes, I
don't care if it was or was not really you.  It is your domain that
is used in spam and it is your domain that got a bad reputation because
_you_ _authorized_ this spam outlet.  You _are_ doing harm to me,
either by spamming me directly or by authorizing this other host to
do so.  I don't care which it is, I just don't want to receive it.

If you are not careful to select host you can (not: do) trust, your
reputation will suffer.  If you are indeed joe-jobbed multiple times
yet you do not alter your mail policy, your reputation will be damaged
beyond the point where I will accept mail "from" you (true or not).

Your domain is used by spammers and you authorize that.  Your name
is all I need to see to block a message.  From that moment on, I'm
not even going to verify the host using SPF.

So I stick to my point:  You can't apply reputation without being sure that 
the identity at hand can be considered authentic.

If you have made up your mind and don't want to discuss this any
further, then don't.  You don't have to say what your opinion is,
we already know.

Sorry, but you are just jumping to a conclusion without supporting
your claim.  And I just don't agree with the steps necessary to fill
the gap you jump over.

example.org TXT "v=spf1 mail.example.com -all"

All spam/virus/other from any(_at_)example(_dot_)org sent by 
mail.example.com
will damage example.org's reputation.

But only if we define "Pass" in a way such that it implies authenticity.  
Otherwise, a bad reputation for example.org may be unjustified, see my 
deliberations above.

No. It doesn't matter where this mail comes from.  If example.org
authorizes mail.example.com to do so, knowing that this host is
bad, it is example.org being unresponsible (as well as mail.example.com).

There is no need, at all, to know where the mail originates.  If
you want to know, for 99.9998 percent sure, that it came from
example.org you will need authentication and thus you will need
something (much) stronger than SPF.

Does it matter if it was or was not example.org submitting that message?
No.  example.org trusts mail.example.com

Making it explicit, this trust means: "example.org trusts mail.example.com 
not to allow cross-customer forgeries".  Which is the same as asserting 
authenticity.

NO I DO NOT SAY THAT.  Don't put words in my mouth.

I trust a certain host to deal swiftly with any user gone rogue.
This host does NOT authenticate outgoing mail in any way. I do
not know all of its customers yet I am fully confident I can trow
a PASS at you.  There is no reason for me not to trust this host,
no matter how many times you are going to say I shouldn't.

and if this trust is misplaced, example.org does something wrong and
earns the bad reputation if it continues to use mail.example.com.
Reputation is not damaged if a single bad message is sent.  Shit happens.
Reputation is damaged if large quantities of bad mail are sent and/or
this abuse lasts long.
[...] 

True, but besides the point.

No, it _is_ the point.

Either I (the domain owner) stop trusting this host, or the host
stops trusting the other customer ("rm -rf ~user" style), or you
stop trusting my mail.

That's what reputation is about.

Alex
P.S.  Even I need my 5 hours of sleep and am going to do that in
30 seconds.  Don't think this discussion is abandoned if you don't
hear from me in the next couple of hours.


<Prev in Thread] Current Thread [Next in Thread>