wayne wrote:
can you give an example where using the PRA on SPF records
will give an "erroneous PASS"?
Let's assume that I have an account xyzzy(_at_)gmx GMX is a mail
provider with a no nonsense SPF FAIL policy (checking... yes).
Let's assume that it's a well-behaved MSA, I can submit mails
with Return-Path xyzzy(_at_)gmx, but not e.g. wayne(_at_)gmx (2476 6.1).
So everybody knows that a PASS from GMX is a good PASS. Now
let's assume that your're an attacker, you get a free account
wayne(_at_)gmx, use it as Return-Path, and you set From: xyzzy(_at_)gmx
The poor hotmail user who's used to take the PRA PASS for real
would get PRA = xyzzy and result PASS. From a trustworthy MSA
that did nothing wrong, quite the contrary, it followed all
recommedantions in draft-hutzler and draft-schlitt.
By "erroneous", I mean case where a domain the domain owner
determined by the PRA algorigthm is given a PASS when it
would not have PASSes if it was found in the return-path.
No, it's not that bad. But still a serious case of cross-user
forgery: GMX could publish op=auth (Scott's "HARDPASS", 2476
enforced submission rights) for its MSA. This works for SPF,
but not PRA.
Maybe I should add this to the op= memo, auth + pra at the same
time won't work as expected.
Bye, Frank