spf-discuss
[Top] [All Lists]

RE: Request for Input on the meaning of "pass".

2005-06-02 22:03:16

-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of 
Julian Mehnle
Sent: vrijdag 3 juni 2005 2:55
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Request for Input on the meaning of "pass".


Mark wrote:

[...] the domain owner is just not in a position to claim what anti-
forgery mechanisms said MTA has installed. To make it concrete, saying
"I, the domain owner, trust AOL to handle my mail" is complete valid
in SPF (read: may be considered an 'authentic' claim). But it would be
outlandishly out-of-line for the domain owner to assert: "I, the
domain owner, claim AOL has cross-user forgery protection in place
to guarantee the authenticity of my vanity domain."

But that's not what a domain owner would have to do. Instead, he would
assert: "I, the domain owner, trust AOL not to allow anyone to use my
domain for whose actions I will not accept responsibility with regard
to my domain's reputation",

But here you shift the original SPF "pass" semantics of "I allow AOL to
use my domain" to "I trust AOL not to allow anyone (else) to use my
domain". Do you not see the great difference? The former just makes AOL
authorized to inject mail with the given identity. The latter goes far
further, and makes the rather bold claim that AOL has added to its SMTP
infrastructure to prevent the misuse of your domain by any of its other
clients (which is why I much rather call it 'cross-domain' forgery). That
is, you state that, above and beyond normal SMTP transactions, AOL does
something extra for you. And even if they are, and you trust them to
uphold the deal, we can never make THAT part of "pass", for else all
regular SMTP mailers would not be covered by that definition.

But more importantly, like I said, how is the receiver to know all this?
The current SMTP protocol does not prevent cross-domain forgery (and nor,
for that matter, does SPF!). So, when asked how a receiver, given the
current state of technology, can interpret "pass", I'd say he really can
only tell for certain that AOL was authorized to use the identity.

It has been said that cross-domain forgery is really a form of abuse, and
therefore really a non-issue. But I beg to differ. Only too recently, for
instance, when verizon started blocking all of Europe, I was surprised to
see how many smaller ISPs actually use the verizon SMTP mailers (my mail
queues nicely showed which domains had become unreachable all of a
sudden). In case of this so called 'ISP outsourcing', we can hardly speak
of forgery, of course. Which is why I simply called it 'cross-domain
ambiguity' at the Council meeting before the last one.

To say that "pass" makes an identity authentic just because
I should have no reason to disbelieve the claim

I have not said that.

No. But you asked:

And why should a receiver not believe in what the domain owner
said?

What I am saying is that, unless we want to overload "Pass" with the
meaning of "Neutral" (and then consequently get rid of "Neutral"),
there is no meaningful difference between...

| The owner of domain X authorizes IP address Y to use the domain X.

....and...

| The owner of domain X declares that every use of domain X
| by IP address Y shall be considered authentic.

I fail to see how 'neutral' plays into this; 'neutral' claims neither of
the two. Besides, to me, there is really a world of difference between the
two statements already -- of which I support the first.

- Mark 
 
        System Administrator Asarian-host.org
 
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx