Re: [spf-discuss] Ideas for future "unified" auth schemes

At 11:59 PM 9/28/2005 -0700, Greg Connor wrote:

> There was a lot of material posted on the thread "Re: Question on a 
> unified policy record approach" - I haven't made it through all of it, but 
> perhaps now would be a good time to resume talking about applying SPF 
> syntax against other identities.
> I had sort of put this issue on the back burner while we were working on 
> SPF-Classic drafts, and getting our draft pushed to the RFC editor, 
> getting an RR type for our future use, etc., were higher priorities.  But 
> I have started seeing discussion on SPF3, SPF2.0/helo or other slashed 
> strings, or op=whatever modifiers, so perhaps those of us who care about 
> unification can start to float some ideas around.
> SPF Classic (v=spf1) has an inherent limitation that it is only intended 
> for use against the MAIL FROM and HELO (2821) identities.  However, there 
> still exists the possibility for using the SPF language for other 
> identities (just not the v=spf1 part) so that domains can publish a 
> 2822-From policy, 2822-Sender policy, etc.  The SPF language provides an 
> excellent set of mechanisms for anything that compares a domain name with 
> a sending IP, so there's no real reason why it can't be applied to other 
> identities.  The only thing the language lacks is a method to say "what 
> identity does this apply to?" and I believe that can be addressed simply 
> and well, if taken with a certain amount of deliberation and care.
> To me, "Unified" means the following.  (If you have a different idea of 
> what "unified" means or should mean, please question the heck out of my 
> assumptions so that we can try to proceed on a common basis).
> 1. An IP is required.  "Unified" syntax still uses Domain and IP, and not 
> much more.
> The SPF syntax works quite well for correlating a Domain and an IP, and 
> getting one of a small number of possibilities.  We will probably not have 
> much traction if we try to apply SPF language and concepts to something 
> that doesn't depend on a Domain and IP.
It would be good to include signature-based methods in this, even if it is 
simply a keyword to indicate that the domain uses a particular method.  ( 
meth=SPF,DKIM )
> 2. A single identity is required.  "Unified" can validate one identity 
> with one IP, but doesn't link one identity with other identities.
> The SPF language can tell whether one IP is allowed to use the domain in 
> the identity, but it can't (shouldn't) say "X identity needs to match Y 
> identity".  Identities don't outrank or trump each other.  SPF-Unified is 
> only used for checking one identity at a time.
A single identity is required to get the process started, but as soon as 
you know the sender's preference, you have to switch to whatever identity 
is required by their preferred method.
> 3. A single domain is required.  "Unified" doesn't compare the policies 
> for multiple domains.
> There is only one domain we are interested in at any given time, and that 
> is the domain of the identity we are trying to validate.  An identity has 
> to have one and only one domain name to play.  If we only validate one 
> identity at a time, we only care about one domain at a time - that is the 
> domain claimed by the identity value.
> What I'm not really comfortable with is statements that say "Our Sender: 
> domain will always match our 2821 MAIL FROM", or "Our HELO will always be 
> X if our From: is Y".  We don't have a great technology for comparing 
> multiple identities to each other to make sure they are the same or 
> similar enough.  What if they are different, and looking up both domains 
> leads to different/conflicting policies?  Trying to establish a 
> correlation or hierarchy may be useful in some circumstances, but SPF 
> language is not a good tool for that.  Therefore, I don't want to stretch 
> SPF to try and create equivalences or enforce matching - we should focus 
> on what SPF language does best: one identity, one domain and one IP.
> Some receivers will have their own local policy that says "Check HELO, 
> then MAIL FROM, then Sender."  I would like SPF to be the method that gets 
> used three times in that recipe, for a different identity each time.  I 
> don't want to try and stretch SPF to enforce any ordering.  SPF can't say 
> "Allow HELO, but only if MAIL FROM fails" or anything like that -- it's 
> not equipped for it.  For one thing, I don't think there's a strong need 
> for that, but for another, what should be done if the domains are 
> different and their policies are conflicting?
The sender should list the methods offered, and the receiver gets to chose 
which it will use.  If a receiver runs two methods, say SPF and DKIM, and 
gets two different results, receiver policy will determine the final result.
--
Dave



-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, 
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com