-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alex van den Bogaerdt wrote:
Scott Kitterman wrote:
Alex van den Bogaerdt wrote:
This has even evolved now into "you are authorizing everybody sending
through the servers to use your name" which is just plain wrong. The
protocol does _not_ say this.
But it is, IMO, a reasonable conclusion. If I get a message and it
says Pass, then that server is an authorized source of messages for
the name. What other conclusion can one draw, but that the message is
authorized.
You have no reason at all to draw such a conclusion. The only
conclusion you can draw is that the server has a right to send messages
using this return path.
No other semantics are present. Any other conclusion is yours, and
yours alone, not the publisher's.
Shared server without technical means to prevent cross-user forgery
gets an SPF Pass has risks.
That's why there is a section on cross-user forgery in paragraph 10.
You mean 10.4 ? The section starting with "By definition ..." then
continuing to explain why SPF is not (!) designed to look at individual
users?
I should think this section defends my position, not yours.
Amusingly, section 10.4 was written by me originally, with the definite
intent to discourage "+"-authorizing shared MTAs that do not enforce
cross-user forgery. Apparently this wasn't made clear enough.
I have long been trying to refute the idea of reducing "+" to a mere
"it's authorized, but it could still be a forgery". That would just be
massively pointless.
I argued for a separate result for some form of 'I do send mail
through this server, but other people do too, so there are no
guarantees', but lost that point 2 years ago. What we have is what we
have.
Oh, but there is "?" AKA "Neutral" AKA "I can't tell if it's forged or
not".
No offense, but it seems to me you are still fighting to massage the
protocol into what you want it to be, in stead of accepting the way
the majority decided on.
Do we really need "PassIMeanIt", "PassBecauseIWantItToReadPassButItReally
DoesntMeanAThing", and "Neutral" in SPFv3?
This is the same attitude as when people saying "the message was SPF
authorized but it is still spam". Wrong conclusions drawn because of
wrong anticipations.
SPF isn't about spam, it's about envelope sender forgery. If "Pass"
doesn't mean "the envelope sender is not forged in all conscience" and
"Neutral" doesn't mean "the envelope sender may or may not be forged, but
don't treat the message differently from a non-SPF-protected one" -- i.e.
if "authorized" doesn't exactly mean "not forged" -- then what's the
point?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFEFQnwL7PKlBZWjsRAnonAKCL+z8zBrARE83ydWWKS755gYV8bACg1E+T
HwZlj8tr0S+kjWil69o9/g0=
=XCKO
-----END PGP SIGNATURE-----
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com