spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Re: "authorized" == "not forged"?

2006-09-20 07:27:15
from [Julian Mehnle] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:

Julian Mehnle wrote:

The description of "op=auth" fails to make an explicit point of the
difference between v=spf1 Pass's authorization semantics and the
additionally offered authentication semantics.  In fact, it doesn't
even mention the word "authenticity" once.  I think it should.


Okay, I've to look up the RFC number of the security glossary again - I
forgot it after we didn't add it to 4408,  Reality check: Does
"authorized and cross-user forgery impossible" really imply
"authenticated" ?


Not necessarily.  What's "authentic" gets defined by a respected authority.  
In the case of SPF, the domain owner is the respected authority.  If he 
says "HardPass" or "op=auth" (and I thought the word "auth" in that was 
supposed to mean "authentication", isn't it?), then receivers can 
confidently take a "Pass" as meaning "the envelope sender is authentic".

However, the "op=auth" option really is just a hack for the absence of a
"HardPass".  In a future SPF revision we ought to include a dedicated 
qualifier and result code for it, e.g. "++" = "Authenticated" (not "Hard- 
Pass" -- that's bound to confuse people).


If yes I could simply add to the text [...] "in other words authenticated
and authorized" (or similar).


Here's an attempt:

   The "auth" property indicates that the domain owner not only authorizes
   the hosts that "Pass" the sender policy to send mail using the domain
   in the "MAIL FROM" and "HELO" identities, but that the domain owner also
   asserts those uses of the domain to be authentic, i.e. not forged.

   In particular, this means that any authorized hosts that are shared with
   other domains are guaranteed to prevent cross-user forgery (see
   [RFC4408], section 10.4).  This is often the case for MSAs as defined in
   [RFC4409], but many MSAs and smart hosts still allow to use any "MAIL
   FROM" identity after a successful SMTP authentication.

   For details about [...]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFEU9xwL7PKlBZWjsRAi8IAKCshilWgf3wW6hKRMJSgmJfV1BhowCfdMZl
YMBL9tWMHLWrqb7zhioac4U=
=fm2c
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Re: Design bugs in v=spf1, Scott Kitterman
Next by Date:  [spf-discuss] Re: SPF wizard and varigrelacionamento.com.br, Julian Mehnle
Previous by Thread:  [spf-discuss] Re: "authorized" == "not forged"?, Frank Ellermann
Next by Thread:  [spf-discuss] Re: "authorized" == "not forged"?, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]