From: Stuart D. Gathman [mailto:stuart(_at_)bmsi(_dot_)com]
Sent: Wednesday, August 17, 2005 10:03 PM
<...>
Seth's idea is that the most popular MUAs *already* display From + Sender.
He wants to leverage what the MUA is already displaying to
curb phishing.
I feel a little bad about anyone calling this my idea. As William just
pointed out, he first suggested this in
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200410/0707.html
last
October. Though I didn't remember any of this, upon rereading that thread
in the archives, I discovered that I told him what a good idea it was and
actively participated in the discussion
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200410/0756.html.
So
let's be clear this was William's idea, and a darn good one.
The only twist that I'm adding to what we discussed last October is to
consider not using additional modifiers in the SPF record and to leverage,
as you say, what the most common MUA's around already displays.
Unfortunately, that is not a minor factor. The proposal is a bit brash, as
it ignores the underutilized Resent-*: headers and systems that don't write
Sender: when they should, but it's virtue is simplicity. Perhaps it's too
simple, perhaps not.
I also think Frank's method from his earlier I-D in progress that he
excerpted in
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200508/0414.html
is
very good. In that piece, he did a good job of documenting how PRA, minus
the repurposing of Resent-*: as forwarding headers, was merely a restatement
of existing standards. Not the proposed standards that I have been quoting,
but RFC's that are full standards. I think any of these related methods can
work. The motivation is to see if we can leverage the original SPF check on
MAIL FROM to detect 2822 forgery without resorting to heavy cryptographic
methods or even further SPF checks. This would be a large win for both
senders and recipients.
Sorry if we've been there before, but if you read that original thread that
William started last October, we were in a very different place. Unified
SPF was our answer to SID, we were discussing scope mechanisms, fetching
separate records for different headers and PRA was still mentioned
frequently. Things look a little different now. Unified SPF and PRA are
pretty much dead. Thanks to Wayne and others, we now have an I-D for
SPF-classic, and even that was an uphill fight.
This may be an old idea, but in the current context, it appears worth
considering in any of the forms proposed.
--
Seth Goodman