spf-discuss
[Top] [All Lists]

RE: Request for Input on the meaning of "pass".

2005-06-03 05:20:36

-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com 
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of 
Julian Mehnle
Sent: vrijdag 3 juni 2005 13:29
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Request for Input on the meaning of "pass".


Also, Wayne and others already sort of admitted that many
receivers will assume the domain owner to be responsible _anyway_,
even if the spec just says "... can now proceed with confidence in
the legitimate use of the identity, oh, and please do not construe this
as willingness of the identity owner to accept unjustified bounces
(in the cross-user forgery case), or to generally bear any reputation
for the messages sent."

The domain owner will almost certainly never accept responsibility for the
messages sent. We went over that before, and it would be setting oneself
for a huge legal pitfall. And, in fact, the larger ISPs I know all
specifically disavow responsibility for messages sent. At best, you will
get the domain owner willing to take responsibility for the use of the
identity.

So why do we not go the rest of the way and admit that "Pass"
must mean that the domain owner trusts the MTA not to allow forgeries
or accepts responsibility (bears reputation, accepts unjustified
bounces) for the "unauthentic" cases otherwise?

Because, the odd case notwithstanding, hardly any SMTP mailer prevents
cross-domain/user forgery at the moment. It is simply not part of current,
common practice. And when we are dealing with formulating/finalizing a
spec, I feel we really should only stake a claim to what is, to the
letter, truthfully ours to claim. Otherwise, like I said on IRC, we would
just be writing cheques our SPF records can't truly cash. It is really one
thing to express that in practice you believe things will likely not be
much of a problem; but quite another to make an official claim about an
identity being 'authentic' -- whereas what you really mean, is that you're
working on the honor system.

- Mark 
 
        System Administrator Asarian-host.org
 
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx