-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Frank Ellermann wrote:
Let's assume that I have an account xyzzy(_at_)gmx GMX is a mail provider
with a no nonsense SPF FAIL policy (checking... yes).
Let's assume that it's a well-behaved MSA, I can submit mails with
Return-Path xyzzy(_at_)gmx, but not e.g. wayne(_at_)gmx (2476 6.1).
So everybody knows that a PASS from GMX is a good PASS. Now let's
assume that your're an attacker, you get a free account wayne(_at_)gmx, use
it as Return-Path, and you set From: xyzzy(_at_)gmx
The poor hotmail user who's used to take the PRA PASS for real would get
PRA = xyzzy and result PASS. From a trustworthy MSA that did nothing
wrong, quite the contrary, it followed all recommedantions in
draft-hutzler and draft-schlitt.
(Let's call this "PRA cross-user forgery", as opposed to "MAIL FROM cross-
user forgery".)
The flaw in this argument is that not only is there no specification
_requiring_ prevention of PRA cross-user forgery, but also is there no
specification _requiring_ prevention of MAIL FROM cross-user forgery.
Not even the SPF spec requires it (it just says that you should not
assert "Pass" if your MTAs don't prevent it).
The only valid part of your argument is that domain owners might have been
aware of MAIL FROM cross-user forgery when publishing "v=spf1", but not
of PRA cross-user forgery. Unfortunately, though absolutely valid, this
is a somewhat weak argument.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDDIGVwL7PKlBZWjsRAlv4AJwNc/PSlqhXV6pSBWId+OGH+hOZjgCgqETG
xQwQlDSMl+y7JqyhQJgNiLI=
=YORj
-----END PGP SIGNATURE-----