Re: The Value of Reputation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Dec 27, 2005, at 5:20 PM, Frank Ellermann wrote:

Douglas Otis wrote:

The response was specifically against the use of "authorization." With respect to SPF/Sender-ID or SSP, these are indeed email- address "authorization" schemes.

There's no "burden shifting". If you have a PASS you know that the Return-Path is no random garbage, you can bounce or challenge without hitting innocent bystanders.

The email-address domain owner bears the burden when email-address authorization is considered "weak" authentication and used to accrue reputation. The burden is shifted when the email-address authorization does not indicate the actual sender. In shared environments with millions of compromised clients, these public authorizations will act as invitations. Most email-address domain owners will suffer harm well beyond their control, as only a few administer their own private servers. Repairing exceptions only increases these exposures when this involves open-ended authorizations (by any name).

...
Back to SPF PASS, I'm free to say "v=spf1 +all". If that backfires with whatever you do it is my problem, it's not your problem. A bogus SPF record is as bad as bogus MX records, that's no "burden shifting", it's a fact of live.

This back-scatter problem can be resolved by implementing BATV at the cost of two additional wafer-thin packets. (This would be far less overhead than looking up SPF records.) Unlike the (defunct) SPF scheme aimed at qualifying the return-path, BATV does not wait for wide adoption before benefits can be derived. The BATV signatures should be obfuscated upon delivery, and the same obfuscation could be common practice for DKIM, as described the in the options draft. : )

-Doug
_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]