spf-discuss
[Top] [All Lists]

Re: Andy Newton says: FTC Dismisses SPF

2005-06-24 16:11:15

On Fri, 24 Jun 2005, David Woodhouse wrote:

On Fri, 2005-06-24 at 13:32 -0700, Dave Crocker wrote:
 What I'm doing is basically
 just what is now known as BATV, although with syntactic differences in
 the reverse-path -- I actually use an SRS-like reverse-path.


the differences are deeper than syntax.

i believe that john levine has explored this point with the ses folks,
extensively.

What I'm doing isn't SES. The SES stuff developed significantly after I
implemented what I have now. I'm still just doing the 'unique-ish
reverse-path on all outgoing mail' thing, which allows me to reject
false bounces and allows those doing SMTP callouts to reject faked mail
from my users. Nit-picking about syntax aside, that's basically what
BATV is.

Nit-picking - but that is exactly what SES used to be before people
there got "carried away" and added bunch of additional options. But its
my understanding that original "sign only MAILFROM" is still supported
there as one possible way to do SES (and since you're using SES syntax
that means its exactly what you have, i.e. SES signature, in fact if
I understand it BATV was not even a draft when you implemented it).

So in effect BATV is subset of SES more carefully worded around only
doing signing of MAILFROM itself in MAILFROM address signature, but
less developed as far as cryptographic signature.

P.S. If I were you or other person who is using SES (ses syntax signature
that is), I'd write FTC and let them know about it and direct them to
information about what SES is as well as time-frame of development of the
protocol and specification so it would be clear which came first and
which ones have more libraries and implementations available. Afterward I'm sure they can figure out themselves which specification has better
cryptography specified, etc.

And the reason for doing is exactly the same as why people are writing FTC about SPF. FTC in fact asked about MAIFLROM but called it by wrong name and using specification that almost nobody implemented and which came after original without consent.

P.S. As far as SES I already wrote to original authors in private - in my opinion they should drop trying to include RFC2822 data in the signature (or make it an option and discuss that in separate document) and go back to original concept of MAILFROM-only signature in MAILFROM with signature verified as part of dns request from SPF client rather then on its own protocol. Write that all as internet draft and submit to IETF (and include timeframe there when it was all developed in acknowledgments).

--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net