On Tue, Sep 19, 2006 at 10:42:21PM +0000, Julian Mehnle wrote:
If you want authentication, the minimum is some form of encryption,
like SES. Do not mistake SPF for something providing authentication.
This is a misconception. TCP provides authentic sender IP addresses
_without_ the need for encryption. What's "authentic" is a matter of
definition by a respected authority.
Yes, I stand corrected, I agree on this.
If I say, "consider all mail with an
envelope sender of 'mehnle.net' to be authentic if it passes the sender
policy", then that's my choice and receivers will be happy to accept this
assertion.
I also agree with you on this.
What I don't agree with is that `pass' makes such a statement.
PGP isn't any different in this regard, and it isn't fundamentally more
secure, either, because private keys can be stolen and crypto algorithms
can be broken, and *poof* suddenly all these fancy digital signatures mean
a shit.
Like I said: 100% certainty is impossible. This is also true for the tcp/ip
case by the way. You have no way of knowing _for_sure_ that packets are
coming from the source that is mentioned in the header of these packets.
It's difficult, but not impossible, to forge and generally is considered
good enough.
alex
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com