spf-discuss
[Top] [All Lists]

RE: Forwading/Redirecting: The problem as I see it....

2005-07-08 02:12:50
On Thu, 2005-07-07 at 17:16 -0500, Seth Goodman wrote:
Now, I know the body hash in not a complete panacea in all cases, but it is
for all the important ones.  The only cases it doesn't handle well are:

1) authenticating the original sender after remailing through a mailing
list, and

2) authenticating the original sender if any forwarders alter the message
body.

Neither of those are serious limitations.  Let me give a little more detail
as to why I believe this.

You omit the one which really turns me off the idea, which is that the
recipients have to know to check it in the first place. Although that's
not really a technical limitation, I suppose. It certainly doesn't
_hurt_ to include the digest.

But I'm still wondering why we're talking about authentication in such a
fashion anyway.

The extra assurance you get from this body hash can be seen as vaguely
equivalent to the difference between SPF 'unknown' and SPF 'pass'
results.

Let us assume that the forwarding problem gets solved, because RFC4821
mandates SRS and everyone obeys, and that I start to use SPF. What am I
supposed to tell from an SPF 'pass' that I cannot tell from an SPF
'unknown' result? I know that I can't safely reject the mail; what
_more_ am I supposed to infer?

Is my bank manager supposed to act upon instructions which appear to be
from me and which have an SPF 'pass' result? Do I abandon my current use
of GPG for that purpose?

-- 
dwmw2


<Prev in Thread] Current Thread [Next in Thread>