-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Frank Ellermann wrote:
...and that points to Meng's famous v=marid article...
<http://article.gmane.org/gmane.mail.spam.spf.discuss/8119>
[...] Meng's article also has a pointer to his CYA "Olson objection"
slide show.
Hmm, http://spf.pobox.com/slides/molson/01.html etc. were throwing an error
(as many of the slides had been doing for a while now). I fixed it.
It could be argued that the MSA just should be fixed.
Supporting 2476 6.1 enforced submission rights _without_ option 8.1 "MAY
add Sender" is not at all broken, quite the contrary. Admins thinking
about 8.1 should first talk with their lawyer, manipulating a mail header
is very critical - even today before DKIM.
Well, going strictly by the current RFCs, such an MSA may actually be
standards compliant. But you have to see that what we're doing with SPF
is to establish stricter requirements for sending (and forwarding) mail.
So it could, with some legitimacy, be argued that the correct solution to
the problem you described was to make the MSA requirements stricter, too
(i.e. to "fix" the MSA), instead of somehow accommodating those who prefer
some mostly worthless legacy configuration.
We cannot promote SPF, rightfully dismissing the inerta of reactionaries,
and at the same time insist on retaining some other, mostly worthless
legacy behavior. Our argument has to be consistent, or the appeal will go
up in smoke.
Do you really think this is a _real_ security threat?
Yes. A bogus "authenticated PASS" from a trustworthy MSA is a wet dream
for all wannabe-phishers.
I doubt that, if phishers have to use the same MSA as those whose
identities they want to abuse. Or have I misunderstood your scenario?
I haven't linked to any spf-discuss or spf-council messages in the
draft so far. Does anybody know any good candidates?
Maybe something from / to Mr. Hardie documented in the Council list
archive ? One of my two complaints here and on the IETF list ?
<http://mid.gmane.org/42284F87(_dot_)4155(_at_)xyzzy(_dot_)claranet(_dot_)de>
<http://mid.gmane.org/42AE1431(_dot_)1276(_at_)xyzzy(_dot_)claranet(_dot_)de>
The latter has a Cc: iesg@, otherwise it's irrelevant, you have this
point already much better in your text.
Yes, I think this is covered well enough in the draft appeal already.
Thanks for your suggestions, though.
Or one of the two articles where I tried a Cc: Brian ?
<http://mid.gmane.org/42AE230E(_dot_)3BA3(_at_)xyzzy(_dot_)claranet(_dot_)de>
<http://mid.gmane.org/42AE230E(_dot_)3BA3(_at_)xyzzy(_dot_)claranet(_dot_)de>
The latter isn't _too_ bad, it's not about Mr. Hardie.
Oops, you inserted the same URL twice. What was the latter supposed to be?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDCzQHwL7PKlBZWjsRAnD2AJ0VuwEw1RWmgp3hEQxgIWo4xFvW2ACeLKwy
lZzQoovkREybN90RPaI9uhQ=
=i7no
-----END PGP SIGNATURE-----