-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Wayne Schlitt wrote:
Julian Mehnle writes:
Wayne Schlitt wrote:
[...] I think that venturing anywhere near the idea of "accepting
responsibility" will scare away some publishers, and do nothing to
actually hold abusive senders accountable.
Do you think that DomainKeys/IIM is doomed to fail for the same
reason? AFAIK, its key point is to assert authenticity (and thus
responsibility).
I'm not sure what the current DK/IIM drafts say, but I do think that
this will be a problem with CSV. CSV appears to be designed so that
MAPS can list people who are foolish enough to publish CSV records.
[...]
Are you saying that, in any case, everybody is going to act as if
asserting "Pass" meant accepting responsibility? If so, what's the
point of pretending that it doesn't?
Nope, I'm saying that Receivers will try and act as if Pass (and some
will probably include Neutral and/or None) means that the Sender has
accepted responsibility, while Senders will try and disclaim any
responsibility at all.
So is it better to deceive publishers about the fact that senders are going
to hold them accountable, reputation-wise?
This is actually somewhat of a tautology. The Senders and Receivers
can argue all they want over what "legitimacy" means,
No, they can't, and incidentally that's also the very reason why I,
too, like the wording. Only the domain owner, as the authoritative
authority (hint, hint), can define what constitutes "legitimacy",
"forgery", "authenticity", etc. And the sender really doesn't have to
care about exactly _how_ those are defined.
(s/And the sender/And the receiver/)
I very much doubt that Receivers will accept whatever definition of
"legitimacy" that Senders claim it defines.
But receivers won't have any other choice, because domain owners will not
publish their definition of legitimacy. All that domain owners will
publish is the IP addresses that they think are... uhm... what,
"authorized"? This is where the need for an exact definition of "Pass"
comes in. We shouldn't be naive and assume that receivers will take
"authorization" for anything other than "assumption of responsibility for
the use of the domain".
I mentioned this elsewhere already, but I'll bring it up again: If domain
owners think they can assert "Pass" for an MTA even though that MTA does
not prevent cross-user forgery, then strictly, SPF isn't even going to
protect the domain owner from unjustified bounces provoked by some other
user of that MTA. Do we really want to define "Pass" as "doesn't mean
anything except that the MTA is authorized to send mail using the domain"?
I think this will mislead publishers.
As far as I can see, what my understanding and your understanding of
the mengwong-spf-* definition have in common is that we both accept
that the domain owner declares consent to being treated as responsible
(in the sense of typical reputation systems) by the receiver for
"Pass"ed uses of the domain.
No, I am not claiming that the domain owner is declaring that they
accept responsibility.
But obviously you are saying that the domain owner declares consent to
being treated as responsible, because, as you say, this is what receivers
are going to do.
You (and Meng) call it "legitimacy". I call it "authenticity". But
it is really all the same.
I really don't agree they are the same thing. A quick check of a
dictionary will confirm it. ;-)
My Oxford English dictionary says:
authentic
1. known to be true or genuine
legitimate
4. genuine
Merriam-Webster Online dictionary says:
authentic
2a. worthy of acceptance or belief as conforming to or based on fact
3. not false or imitation
legitimate
2. being exactly as purposed, neither spurious nor false
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCn9ZgwL7PKlBZWjsRAigMAJ4ul+3VwhoA2PRg6ZzJuC3nFRq9IwCgyaNZ
8TQfErgqn/e6au39RkfhQGU=
=6g8c
-----END PGP SIGNATURE-----