On Nov 17, 2006, at 8:40 AM, Stephane Bortzmeyer wrote:
On Thu, Nov 16, 2006 at 07:21:01AM -0800,
Douglas Otis <[EMAIL PROTECTED]> wrote
a message of 31 lines which said:
SPF is like using scripts, rather than bitmaps, to describe fonts
offering any number of features, such as flashing text, moving
arrows, and winking smiley faces.
I typically never replies to Otis' emails or I-Ds because it is
obvious he is just motivated by a personal anti-SPF drive but this
presentation of digital typography is ridiculous: using scripts
instead of bitmaps for fonts have much more advantages, the most
obvious one being the ability to scale the text. If Otis knows
about DNS as much as about typography, I understand a lot of things...
The scale of the SPF query process returning all IP addresses
authorized to send messages for specific domain is daunting. This
issue is expressed in the spf-dos-exploit draft. Being the target of
DoS abuse increases one's attention to details. While respecting
efforts made by Wayne, William and others from MARID, the basis of
the SPF design remains flawed. Fixing SPF requires a fundamental
design change. Wayne's libraries are the most conservative of those
examined, although his scheme remains problematic for several domains.
Scripts indeed allow features that many come to expect. Scripts
however also represent a significant security threat. With SPF, the
victim of this threat can be any third-party not involved in the
message's transaction. The font analogy was an attempt to make a
comparison, where indeed many desirable features are made possible by
executing a script, rather than rigidly applying fixed data
structures. Email, all too often, is not about dealing with messages
from known sources. As such, it remains a bad idea to fetch html
images and execute scripts contained within these messages
automatically.
Many consider SPF script to be somehow different. Unlike those cases
mentioned, many expect SPF to be executed automatically without
knowledge of the originator. For many, the purpose of the SPF script
is to discern whether an SMTP client is authorized, without ever
knowing who is being authorized and who is making the reference to
the script.
-Doug
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
