spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Re: "authorized" == "not forged"?

2006-09-20 20:39:10
from [Frank Ellermann] [Permanent Link] 
Julian Mehnle wrote:


Reality check: Does "authorized and cross-user forgery
impossible" really imply "authenticated" ?



Not necessarily.  What's "authentic" gets defined by a
respected authority.  In the case of SPF, the domain owner
is the respected authority.


Okay, not the same as the operators of the "hardpass" MSAs.
It's the fault of the domain owner if his op=auth is bogus.


I thought the word "auth" in that was supposed to mean
"authentication", isn't it?


Yes, but I used it from the POV of the MSAs, derived from
SMTP AUTH or the A in RADIUS, which isn't enough.  That's
the whole point of the "hardpass" op=auth section.


However, the "op=auth" option really is just a hack for
the absence of a "HardPass".  In a future SPF revision
we ought to include a dedicated qualifier


Getting rid of the assymetry SOFTFAIL but no SOFTPASS...
nice but years too late.  Let's see how far we come with
the existing tags v=spf1 and spf2.0/pra.  The additional
zoo spf2.0/mfrom, spf2.0/mfrom,pra, and spf2.0/pra,mfrom
is unnecessary unless somebody has a compelling idea for
a positional modifier.

After two years without a "real" (implemented) modifier,
let alone a positional modifier, I'm tempted to declare
the "mfrom" zoo obsoleted by op=pra.  

With a statement "updates 4406" the op-draft could help
to cleanup this part of the IETF MARID mess.


Here's an attempt:

[...]
Thanks, for a -01pre diff see http://tinyurl.com/kzjo6 or
http://tools.ietf.org/rfcdiff?url2=http://xyzzy.webhop.info/home/test/draft-ellermann-spf-options-01.txt&difftype=--hwdiff

Not yet on my normal Web page (I'm not online with the
corresponding provider).  Could be as well stored on the
SPF site, a subdirectory with FTP-write access per author
(maybe, I've no idea how subversion write access works,
 CVS needs client software, I never tested the old 2001
 client on my box).     

Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [spf-discuss] Re: SPF wizard and varigrelacionamento.com.br, Julian Mehnle
Next by Date:  Re: [spf-discuss] Re: "authorized" == "not forged"?, Scott Kitterman
Previous by Thread:  [spf-discuss] Re: "authorized" == "not forged"?, Julian Mehnle
Next by Thread:  Re: [spf-discuss] Re: "authorized" == "not forged"?, Scott Kitterman
Indexes:  [Date] [Thread] [Top] [All Lists]