spf-discuss
[Top] [All Lists]

Re: Request for Input on the meaning of "pass".

2005-06-02 20:29:37
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex van den Bogaerdt wrote:
Julian Mehnle wrote:
SPF authorizes IP addresses.  Of course this does not mean that
SPF authenticates IP addresses.  SPF is supposed to authenticate
_domains_.

That's where we disagree.  SPF _authorizes_ hosts to use domains.

I never said anything to the contrary.

You say auth_enticate_ I say auth_orize_.
You say _domains_ I say _hosts_.

Yes, that's no contradiction.

SPF is not: is this example.org
SPF is not: is this mail.example.com
SPF is:     is mail.example.com allowed to say ...

I never said anything to the contrary.

<quote>SPF is supposed to authenticate _domains_.</quote>

This matches either the first or the second from my list. In both
cases I say "SPF is not".

| Is mail.example.com allowed to say [this message was sent by someone at
| example.org]?
...is equivalent to...
| Is the identity claim MAIL 
FROM:<(_dot_)(_dot_)(_dot_)(_at_)example(_dot_)org> authentic?
...isn't it?

So, are you saying that I can apply reputation to an identity
_without_ being sure that the identity was used with its owner's
consent?

Yes and no.  See next paragraph.

That would be like you blacklisting mehnle.net because spammers have
joe-jobbed me multiple times.

Only if sent through a host _you_ authorized.  In that case: yes, I
don't care if it was or was not really you.
It is your domain that is used in spam and it is your domain that got a
bad reputation because _you_ _authorized_ this spam outlet. [...]

(Now we're making progress.)  This is exactly why we need to make it clear 
to domain owners that they should only assert "Pass" if they are 
reasonably sure that abuse that uses their domain can only come from 
themselves.  Otherwise, people will assert "Pass" and then wonder why they 
end up on black-lists, even though the definition of "Pass" only said 
"host is authorized" and not "domain will accept responsibility".

Would you agree that the definition of "Pass" should talk about having to 
accept responsibility (in terms of reputation)?

So I stick to my point:  You can't apply reputation without being sure
that the identity at hand can be considered authentic.

If you have made up your mind and don't want to discuss this any
further, then don't.  You don't have to say what your opinion is,
we already know.

Sorry, but you are just jumping to a conclusion without supporting
your claim.  And I just don't agree with the steps necessary to fill
the gap you jump over.

I think there is a misunderstanding:

What I meant by "apply reputation" was "create reputation by judging the 
abusiveness of a message".

Perhaps I should have been more clear, so let me try this again:

You certainly cannot _create_ reputation without being sure that the 
identity at hand can be considered authentic.

Would you agree to that?

There is no need, at all, to know where the mail originates.

Are you sure?  Don't you think most domain owners would want receivers to 
be sure of the MAIL FROM's authenticity before creating bad reputation for 
the domain?

If you want to know, for 99.9998 percent sure, that it came from
example.org you will need authentication and thus you will need
something (much) stronger than SPF.

What do you mean by "it came from example.org"?  If the policy for 
example.org is "v=spf1 +a:shared-mta.foo.org -all", and the message came 
from shared-mta.foo.org, does this mean the message "came from 
example.org"?

If shared-mta.foo.org does not prevent cross-customer forgery, and some 
other user at foo.org sent the message, did it still "come from 
example.org"?

Does it matter if it was or was not example.org submitting that
message? No.  example.org trusts mail.example.com

Making it explicit, this trust means: "example.org trusts
mail.example.com not to allow cross-customer forgeries".  Which is the
same as asserting authenticity.

NO I DO NOT SAY THAT.  Don't put words in my mouth.

Of course you did not say that.  You did not say anything about what you 
mean by "trust", so I was forced to guess.  My apologies.  Thanks for 
explaining now what you mean by "trust".

I trust a certain host to deal swiftly with any user gone rogue.
[...]
There is no reason for me not to trust this host, no matter how many
times you are going to say I shouldn't. 

Are you sure this is all you require of the host?

If the host does not prevent cross-user forgery, a malicious user can send 
millions of spam messages before the host can "deal swiftly" with him.  
That would mean a very high risk of having your reputation trashed for a 
long time.

(Still, it is of course your right not to care about that risk.  I would 
never dare to challenge that.)

P.S.  Even I need my 5 hours of sleep and am going to do that in
30 seconds.  Don't think this discussion is abandoned if you don't
hear from me in the next couple of hours.

Will do the same.  Good night.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCn86hwL7PKlBZWjsRAk0wAKD0zpHMwf6WiA2hK7NVY+NOlO5AjgCffZpN
CH3J17Iygjo77dNL5sAxMMw=
=N0r+
-----END PGP SIGNATURE-----


<Prev in Thread] Current Thread [Next in Thread>