spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Explain please

2005-07-08 05:52:38
from [Julian Mehnle] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Woodhouse wrote:

I said this to Dick St Peters on Wednesday:

"There is a technical incompatibility between the flawed initial
assumptions of SPF and the long-established practice of forwarding mail,
but that doesn't mean that mail forwarding is being abused. Why do you
say that it's being abused?"

Stuart jumped in with the response I'd already given as part of the
question: that forwarding doesn't work with SPF. Dick phrased it
slightly differently but said basically the same thing.

But nobody volunteered any reasons why, in the _absence_ of SPF (which
we know has technical problems with forwarding) there is any other
reason to consider it to be a bad thing. I'd heard nobody say that
forwarding was wrong, or 'forgery', before SPF was invented. What,
_other_ than the technical problems of SPF, has changed?


You are not listening.  (And because of this, this will be my last response 
to you on this topic for a very long time.)

Forwarding without sender rewriting is a bad thing because it cannot be 
distinguished from regular envelope sender forgery.  If forgers can evade 
responsibility by just claiming to be forwarders, then the forgery problem 
cannot be solved.

Since the envelope sender forgery problem is real, we want it to be solved.  
Because we are consequential, we are willing to declare forwarding without 
sender rewriting a broken legacy feature.  We'll see who agrees with that.


We know the caveats about content checking causing bounces -- that kind
of thing happens anyway with backup MX (and in fact it's worse with
those backup MX hosts which don't know which addresses are even valid).
That's not a reason to consider forwarding to be evil, unless you're
also going to abolish backup MX too, and then you might as well just
take us all the way to IM2000.


(Misdirected) bounces do not result from content checking only.  Yes, 
backup MXes are indeed a malfeature, unless they exert exactly identical 
security policies.  Yes, pull-type messaging may be the future, but 
reputation will still be required, and IM2000 in particular is far from 
optimal.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCzncXwL7PKlBZWjsRAs3hAKDWwqAKfom2wVUNj00cigwotDHXKACfUa1t
adZg2mrnc8WvkWn7FB/scGo=
=rACh
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Explain please, David Woodhouse
Next by Date:  Re: Explain please, Julian Mehnle
Previous by Thread:  Re: Explain please, Alex van den Bogaerdt
Next by Thread:  Re: Explain please, David Woodhouse
Indexes:  [Date] [Thread] [Top] [All Lists]