In <200506030431(_dot_)18686(_dot_)bulk(_at_)mehnle(_dot_)net> Julian Mehnle
<bulk(_at_)mehnle(_dot_)net> writes:
Wayne Schlitt wrote:
[...] I think that venturing anywhere near the idea of "accepting
responsibility" will scare away some publishers, and do nothing to
actually hold abusive senders accountable.
Do you think that DomainKeys/IIM is doomed to fail for the same reason?
AFAIK, its key point is to assert authenticity (and thus responsibility).
I'm not sure what the current DK/IIM drafts say, but I do think that
this will be a problem with CSV. CSV appears to be designed so that
MAPS can list people who are foolish enough to publish CSV records.
I think there will always be a struggle over how to interpret the SPF
results. Receivers will push for more accountability and stricter
requirements. They will reject on Neutral/None, and try to hold
senders accountable for the smallest abuses from anything other than
Fail. Senders will try to maximize the chances that their messages
get delivered and try to avoid the really costly steps needed to make
sure abuse never happens.
Are you saying that, in any case, everybody is going to act as if asserting
"Pass" meant accepting responsibility? If so, what's the point of
pretending that it doesn't?
Nope, I'm saying that Receivers will try and act as if Pass (and some
will probably include Neutral and/or None) means that the Sender has
accepted responsibility, while Senders will try and disclaim any
responsibility at all.
I actually somewhat like of like the mengwong-spf-* definitions of Pass:
Pass (+): the message meets the publishing domain's definition of
legitimacy. MTAs proceed to apply local policy and MAY accept or
reject the message accordingly.
This is actually somewhat of a tautology. The Senders and Receivers
can argue all they want over what "legitimacy" means,
No, they can't, and incidentally that's also the very reason why I, too,
like the wording. Only the domain owner, as the authoritative authority
(hint, hint), can define what constitutes "legitimacy", "forgery",
"authenticity", etc. And the sender really doesn't have to care about
exactly _how_ those are defined.
I very much doubt that Receivers will accept whatever definition of
"legitimacy" that Senders claim it defines. There will be lots of
pulling out dictionaries and claims of "in this context...".
When I read that definition of Pass, I don't see it saying "authentic"
at all, but Julian does.
As far as I can see, what my understanding and your understanding of the
mengwong-spf-* definition have in common is that we both accept that the
domain owner declares consent to being treated as responsible (in the
sense of typical reputation systems) by the receiver for "Pass"ed uses of
the domain.
No, I am not claiming that the domain owner is declaring that they
accept responsibility.
You (and Meng) call it "legitimacy". I call it "authenticity". But it is
really all the same.
I really don't agree they are the same thing. A quick check of a
dictionary will confirm it. ;-)
-wayne