Julian Mehnle wrote:
not only is there no specification _requiring_ prevention of
PRA cross-user forgery
If an MSA supports "enforced submission rights" (2476bis 6.1),
then it does what draft-schlitt recommends for the MAIL FROM
cross-user problem (shared MSA). IIRC dito draft-hutzler.
also is there no specification _requiring_ prevention of
MAIL FROM cross-user forgery. Not even the SPF spec
requires it (it just says that you should not assert "Pass"
if your MTAs don't prevent it).
Sigh. It is a MUST for op=auth if you need a MUST. The issue
isn't this "requirement" in an obscure op-draft, the issue is
what the receivers _expect_ after they have seen that a PASS
from GMX is a good PASS in 1000 mails. The 1001st mail is the
phisher exploiting exactly this expectation with a receiver
behind a PRA-test.
The only valid part of your argument is that domain owners
might have been aware of MAIL FROM cross-user forgery when
publishing "v=spf1", but not of PRA cross-user forgery.
Yes. But it affects also reeivers and MSA operators. Or as I
put it one year ago, with PRA the "MAY add Sender" (2476 8.1)
has to be changed to SHOULD on the border to MUST. At least
Wayne agreed with this (2004-08-05) in the famous CYA-thread:
<http://article.gmane.org/gmane.mail.spam.spf.discuss/8162>
Unfortunately, though absolutely valid, this is a somewhat
weak argument.
Too weak for your appeal, but one of the reasons why I pushed
hard for the appeal: PRA over v=spf1 without explicit consent
in the form of op=pra is FUBAR.
Bye, Frank